Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vur7t4SumQ.dll

Overview

General Information

Sample Name:vur7t4SumQ.dll
Analysis ID:626495
MD5:b4f74ea581aba7c9e44b4a0053d20bfe
SHA1:eec25f21b828ae3aa2cb49dcd418855e98993ad7
SHA256:91808c38624d6b8a14a9d86ce4e7fa9815ae08b359748873507db505255c2efe
Tags:exetrojan
Infos:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6964 cmdline: loaddll64.exe "C:\Users\user\Desktop\vur7t4SumQ.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7012 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7036 cmdline: rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 7024 cmdline: regsvr32.exe /s C:\Users\user\Desktop\vur7t4SumQ.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 7160 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QpRiewx\dKRLHbLQXAMim.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 7060 cmdline: rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7104 cmdline: rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 4236 cmdline: C:\Windows\system32\WerFault.exe -u -p 7104 -s 336 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • svchost.exe (PID: 6184 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5832 cmdline: C:\Windows\system32\WerFault.exe -pss -s 492 -p 7104 -ip 7104 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • svchost.exe (PID: 5712 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6496 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7028 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6340 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1820 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.391402911.0000025875C10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000003.00000002.383682759.00000225740C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000002.00000002.385974749.0000000000E10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.474314790.0000025875C10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000005.00000002.474148480.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.regsvr32.exe.2590000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.rundll32.exe.1d80d4f0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.0.rundll32.exe.25875c10000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  2.2.regsvr32.exe.e10000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.1d80d4f0000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 9 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: vur7t4SumQ.dllVirustotal: Detection: 35%Perma Link
                      Antivirus detection for URL or domain
                      Source: https://23.239.0.12/dllrG4Avira URL Cloud: Label: malware
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49772 version: TLS 1.2
                      Source: vur7t4SumQ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: rundll32.exe, 00000005.00000000.389644763.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.474184868.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.759111056.0000000000905000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: rundll32.exe, 00000005.00000000.389644763.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.474184868.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.759111056.0000000000905000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,6_2_000000018000D26C

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: LfcshBB=9K9xNKen7udDeb1J4OQyijqGfmzzXo68BI+bQ+LkDM69N5Z+tt9oOOCK9f/7rt6//U0Vq39OhpiP9jVbw2BTUiRQ7mMr6aTri/fh0NaOk28RU7YJkRTEIVgJRZHGtilk5myUCiBIQeMH+hqUkNDpw/OZ13V75DgTrxKFRTcKMU4qV9d/U8reAX4q7GM5O3IrQvwhgAszodlLlbDAakiFaZE4AFW95EPShqwCclTorVq663gqXvWIBkslURg=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.239.0.12 23.239.0.12
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: svchost.exe, 0000001A.00000003.591416499.00000267D0F78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001A.00000003.591416499.00000267D0F78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001A.00000003.591416499.00000267D0F78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.590504414.00000267D0F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001A.00000003.591416499.00000267D0F78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.590504414.00000267D0F86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000006.00000003.447499145.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.759398991.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.639824173.00000267D06EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001A.00000002.639824173.00000267D06EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: regsvr32.exe, 00000006.00000002.759361645.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.759302159.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447608309.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447563134.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447637597.0000000000C61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/
                      Source: regsvr32.exe, 00000006.00000002.759302159.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447563134.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447637597.0000000000C61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/dllrG4
                      Source: svchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001A.00000003.605333125.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605313773.00000267D0F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605236257.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605355013.00000267D1419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605222554.00000267D0F9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605266639.00000267D1403000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605251329.00000267D1402000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001A.00000003.605333125.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605313773.00000267D0F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605236257.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605355013.00000267D1419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605222554.00000267D0F9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605266639.00000267D1403000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605251329.00000267D1402000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 0000001A.00000003.605333125.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605313773.00000267D0F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605236257.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605355013.00000267D1419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605222554.00000267D0F9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605266639.00000267D1403000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605251329.00000267D1402000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 0000001A.00000003.619534396.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.619552540.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,6_2_00000001800132F0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: LfcshBB=9K9xNKen7udDeb1J4OQyijqGfmzzXo68BI+bQ+LkDM69N5Z+tt9oOOCK9f/7rt6//U0Vq39OhpiP9jVbw2BTUiRQ7mMr6aTri/fh0NaOk28RU7YJkRTEIVgJRZHGtilk5myUCiBIQeMH+hqUkNDpw/OZ13V75DgTrxKFRTcKMU4qV9d/U8reAX4q7GM5O3IrQvwhgAszodlLlbDAakiFaZE4AFW95EPShqwCclTorVq663gqXvWIBkslURg=Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49772 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d80d4f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.e10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d80d4f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25875c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.225740c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2590000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25875c10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.e10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.225740c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.391402911.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.383682759.00000225740C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.385974749.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.474314790.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.474148480.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.384056967.000001D80D4F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.391196751.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.390207930.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.389604271.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.759523797.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 7104 -ip 7104
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\QpRiewx\dKRLHbLQXAMim.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\QpRiewx\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CFB6C2_2_00007FFF2F3CFB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CEB602_2_00007FFF2F3CEB60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CA77C2_2_00007FFF2F3CA77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CAF702_2_00007FFF2F3CAF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C6F0C2_2_00007FFF2F3C6F0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CE6C02_2_00007FFF2F3CE6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C59442_2_00007FFF2F3C5944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C895C2_2_00007FFF2F3C895C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CAA0C2_2_00007FFF2F3CAA0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CB5CC2_2_00007FFF2F3CB5CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CFCA02_2_00007FFF2F3CFCA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00E000002_2_00E00000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010FF42_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180028C202_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C0582_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800091002_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800079582_2_0000000180007958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C6082_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800216182_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013E282_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E3AC2_2_000000018001E3AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DBE82_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FC0C2_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000580C2_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800220102_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001481C2_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A42C2_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800118342_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800238312_2_0000000180023831
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021C3C2_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000703C2_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000AC482_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000FC482_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800064582_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C05C2_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001A4602_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800298882_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D49C2_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008CA02_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800248A82_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180015CB02_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800124B42_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C4B42_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800288B82_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800024B82_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000D8C42_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800250CC2_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800190D42_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017CE42_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800264F02_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800014F82_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020CFC2_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C9042_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800179082_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800215102_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9172_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000551C2_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F1282_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001CD382_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180016D3C2_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F9442_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800181482_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D9502_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800131502_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001ED502_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E9602_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019D602_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C9642_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001D682_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001496C2_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002D702_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800021782_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180024D802_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800185982_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800035982_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A9A82_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800119A82_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025DAC2_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018DAC2_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800269B02_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800059B82_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800029BC2_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800141C02_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800125C42_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800121CC2_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800075D42_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800095DC2_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9E82_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800026102_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800196182_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FA382_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A2702_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019E782_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DA802_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800246982_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000EE982_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800176B82_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AAB82_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011AD02_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008AD82_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800296EC2_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A6EC2_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800132F02_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800193002_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BB042_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002870C2_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026B102_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000131C2_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000671C2_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029B282_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180012F282_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BB282_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001EB302_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800203342_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800107582_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001435C2_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180009F5C2_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800293682_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800207682_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800173782_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800137802_2_0000000180013780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800153882_2_0000000180015388
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000338C2_2_000000018000338C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000738C2_2_000000018000738C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800027902_2_0000000180002790
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180027F9C2_2_0000000180027F9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800197A02_2_00000001800197A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C7B42_2_000000018002C7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DFB42_2_000000018001DFB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F7C02_2_000000018001F7C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800097C02_2_00000001800097C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800157D82_2_00000001800157D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019FDC2_2_0000000180019FDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017BDC2_2_0000000180017BDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F7E02_2_000000018000F7E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001FE02_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180010FF43_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180028C203_2_0000000180028C20
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C0583_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800091003_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C9643_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C6083_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800216183_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E3AC3_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DBE83_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FC0C3_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000580C3_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800220103_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001481C3_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A42C3_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800118343_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800238313_2_0000000180023831
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021C3C3_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000703C3_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000AC483_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000FC483_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800064583_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C05C3_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001A4603_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800298883_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D49C3_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008CA03_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800248A83_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180015CB03_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800124B43_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C4B43_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800288B83_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800024B83_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000D8C43_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800250CC3_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800190D43_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017CE43_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800264F03_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800014F83_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020CFC3_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C9043_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800179083_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800215103_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9173_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000551C3_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F1283_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CD383_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180016D3C3_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F9443_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800181483_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001ED503_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800131503_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D9503_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E9603_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019D603_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001D683_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001496C3_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002D703_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800021783_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024D803_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800185983_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800035983_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A9A83_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800119A83_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180025DAC3_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180018DAC3_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800269B03_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800059B83_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800029BC3_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800141C03_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800125C43_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800121CC3_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000BDD03_2_000000018000BDD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800075D43_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800095DC3_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9E83_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800026103_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800196183_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180013E283_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FA383_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A2703_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019E783_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DA803_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800246983_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000EE983_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800176B83_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AAB83_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180011AD03_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008AD83_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800296EC3_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A6EC3_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800132F03_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800193003_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BB043_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002870C3_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180026B103_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000131C3_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000671C3_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180029B283_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180012F283_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000BB283_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EB303_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800203343_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800107583_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001435C3_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180009F5C3_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800293683_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800207683_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800173783_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800137803_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800153883_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000338C3_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000738C3_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800027903_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180027F9C3_2_0000000180027F9C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800197A03_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C7B43_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DFB43_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F7C03_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800097C03_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800157D83_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019FDC3_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017BDC3_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F7E03_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001FE03_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000022572A700003_2_0000022572A70000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010FF44_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C0584_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800091004_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C6084_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800216184_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E3AC4_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DBE84_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FC0C4_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000580C4_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800220104_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001481C4_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A42C4_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800118344_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021C3C4_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000703C4_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC484_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FC484_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800064584_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C05C4_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A4604_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800298884_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D49C4_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008CA04_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800248A84_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CB04_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800124B44_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C4B44_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800288B84_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024B84_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D8C44_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800250CC4_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800190D44_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CE44_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800264F04_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014F84_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020CFC4_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C9044_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800179084_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800215104_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9174_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000551C4_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F1284_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CD384_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016D3C4_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F9444_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800181484_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001ED504_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800131504_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D9504_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E9604_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019D604_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C9644_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001D684_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001496C4_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002D704_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800021784_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024D804_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800185984_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800035984_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A9A84_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800119A84_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025DAC4_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018DAC4_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800269B04_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800059B84_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029BC4_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800141C04_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800125C44_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800121CC4_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800075D44_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095DC4_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9E84_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800026104_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800196184_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013E284_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FA384_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A2704_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E784_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DA804_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800246984_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EE984_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800176B84_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AAB84_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011AD04_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008AD84_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800296EC4_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A6EC4_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800132F04_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800193004_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB044_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002870C4_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026B104_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000131C4_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000671C4_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029B284_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012F284_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BB284_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EB304_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800203344_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800107584_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001435C4_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009F5C4_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800293684_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800207684_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800173784_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800137804_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800153884_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000338C4_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000738C4_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800027904_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197A04_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C7B44_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DFB44_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F7C04_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800097C04_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800157D84_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019FDC4_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017BDC4_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F7E04_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE04_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001D80D4E00004_2_000001D80D4E0000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_0000025875C000005_2_0000025875C00000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_009E00006_2_009E0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180010FF46_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180028C206_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C0586_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ACA46_2_000000018001ACA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000551C6_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800181486_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000E1E06_2_000000018000E1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C6086_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800216186_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180013E286_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002AE446_2_000000018002AE44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C6_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800252786_2_0000000180025278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000EE986_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A86_2_00000001800046A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004ACA6_2_0000000180004ACA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F06_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180026B106_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DBE86_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FC0C6_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000580C6_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800220106_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001481C6_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A42C6_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800118346_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021C3C6_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000703C6_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000AC486_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000FC486_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800244586_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800064586_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C05C6_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001A4606_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800298886_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D49C6_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008CA06_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800248A86_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180015CB06_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800124B46_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C4B46_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800288B86_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800024B86_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D8C46_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800250CC6_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800190D46_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180017CE46_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800264F06_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800014F86_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180020CFC6_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800091006_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C9046_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800179086_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800215106_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F9176_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F1286_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001CD386_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180016D3C6_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F9446_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D9506_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800131506_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ED506_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001E9606_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019D606_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C9646_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C5686_2_000000018001C568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180001D686_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001496C6_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180002D706_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800245746_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800021786_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180024D806_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800185986_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800035986_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F1A46_2_000000018001F1A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A9A86_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800119A86_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180025DAC6_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180018DAC6_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800269B06_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800059B86_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800029BC6_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800141C06_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800125C46_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800121CC6_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BDD06_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800075D46_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800095DC6_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F9E86_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800026106_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800196186_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FA386_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A2706_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019E786_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DA806_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800246986_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800176B86_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001AAB86_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002CAD06_2_000000018002CAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180011AD06_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008AD86_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800296EC6_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A6EC6_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800193006_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001BB046_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002870C6_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000131C6_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000671C6_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180029B286_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180012F286_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BB286_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001EB306_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800203346_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800107586_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001435C6_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180009F5C6_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800293686_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: vur7t4SumQ.dllVirustotal: Detection: 35%
                      Source: vur7t4SumQ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vur7t4SumQ.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\vur7t4SumQ.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllUnregisterServer
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QpRiewx\dKRLHbLQXAMim.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 7104 -ip 7104
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7104 -s 336
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\vur7t4SumQ.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllUnregisterServerJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QpRiewx\dKRLHbLQXAMim.dll"Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 7104 -ip 7104Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7104 -s 336Jump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER846.tmpJump to behavior
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@24/6@0/2
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,6_2_00000001800046A8
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1
                      Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5832:120:WilError_01
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7104
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: vur7t4SumQ.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: vur7t4SumQ.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: rundll32.exe, 00000005.00000000.389644763.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.474184868.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.759111056.0000000000905000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: rundll32.exe, 00000005.00000000.389644763.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.474184868.0000009FDED55000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.759111056.0000000000905000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AFFD push ebp; retf 2_2_000000018001AFFE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800051D1 push ebp; iretd 2_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BA32 push ebp; retf 2_2_000000018001BA33
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180004E83 push es; ret 2_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B694 push es; ret 2_2_000000018001B6E9
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BADD push ebp; iretd 2_2_000000018001BADE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B717 push ebp; iretd 2_2_000000018001B718
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AF4E push ebp; retf 2_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AFFD push ebp; retf 3_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800051D1 push ebp; iretd 3_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BA32 push ebp; retf 3_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180004E83 push es; ret 3_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B694 push es; ret 3_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BADD push ebp; iretd 3_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B717 push ebp; iretd 3_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180007B3F push esp; retf 3_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AF4E push ebp; retf 3_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AFFD push ebp; retf 4_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800051D1 push ebp; iretd 4_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA32 push ebp; retf 4_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004E83 push es; ret 4_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B694 push es; ret 4_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BADD push ebp; iretd 4_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B717 push ebp; iretd 4_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007B3F push esp; retf 4_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AF4E push ebp; retf 4_2_000000018001AF4F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800051D1 push ebp; iretd 6_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004E83 push es; ret 6_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180007B3F push esp; retf 6_2_0000000180007B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,2_2_00007FFF2F3C7BE8
                      Source: vur7t4SumQ.dllStatic PE information: real checksum: 0x85ab6 should be: 0x8a0d4
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\vur7t4SumQ.dll
                      Source: C:\Windows\System32\regsvr32.exePE file moved: C:\Windows\System32\QpRiewx\dKRLHbLQXAMim.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\QpRiewx\dKRLHbLQXAMim.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\YJCJYg\qNHgWFlkM.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\FeHiXMQHQKNrh\bnuTDajnMn.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 5816Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-10019
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,6_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_2-10021
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: regsvr32.exe, 00000006.00000002.759361645.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447608309.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447563134.0000000000C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                      Source: svchost.exe, 0000001A.00000002.639754365.00000267D06AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                      Source: regsvr32.exe, 00000006.00000002.759361645.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.759302159.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447608309.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447563134.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447637597.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.639824173.00000267D06EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.639692855.00000267D0670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000010.00000002.759237584.00000238BBC02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 00000010.00000002.759283945.00000238BBC24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFF2F3C6550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C7BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,2_2_00007FFF2F3C7BE8
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CD318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFF2F3CD318
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFF2F3C6550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFF2F3C20E0

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 492 -p 7104 -ip 7104Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7104 -s 336Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FFF2F3CC39C
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,2_2_00007FFF2F3CDF98
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FFF2F3CDF20
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FFF2F3CDF3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFF2F3CC7F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FFF2F3CC6E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FFF2F3CC2B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,2_2_00007FFF2F3CC16C
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,2_2_00007FFF2F3CC934
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FFF2F3CE1E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFF2F3CC834
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_00007FFF2F3CC450
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFF2F3CC8C8
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3C4558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00007FFF2F3C4558
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF2F3CE6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00007FFF2F3CE6C0

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d80d4f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.e10000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1d80d4f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25875c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.225740c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2590000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.25875c10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.e10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.225740c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.25875c10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.391402911.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.383682759.00000225740C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.385974749.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.474314790.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.474148480.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.384056967.000001D80D4F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.391196751.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.390207930.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.389604271.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.759523797.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		2
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		2
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Query Registry                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager21
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories                      		NTDS2
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled Transfer2
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets2
                      Process Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32                      		DCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem24
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 626495 Sample: vur7t4SumQ.dll Startdate: 14/05/2022 Architecture: WINDOWS Score: 76 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Emotet 2->42 7 loaddll64.exe 1 2->7         started        9 svchost.exe 4 2->9         started        11 svchost.exe 2->11         started        13 4 other processes 2->13 process3 process4 15 regsvr32.exe 5 7->15         started        18 cmd.exe 1 7->18         started        20 rundll32.exe 2 7->20         started        22 rundll32.exe 7->22         started        24 WerFault.exe 9->24         started        signatures5 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->48 26 regsvr32.exe 15->26         started        30 rundll32.exe 2 18->30         started        32 WerFault.exe 17 9 22->32         started        process6 dnsIp7 34 23.239.0.12, 443, 49772 LINODE-APLinodeLLCUS United States 26->34 44 System process connects to network (likely due to code injection or exploit) 26->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->46 36 192.168.2.1 unknown unknown 32->36 signatures8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      vur7t4SumQ.dll35%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.regsvr32.exe.e10000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.225740c0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.1d80d4f0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.25875c10000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      6.2.regsvr32.exe.2590000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.0.rundll32.exe.25875c10000.4.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.0.rundll32.exe.25875c10000.1.unpack100%AviraHEUR/AGEN.1215493Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://23.239.0.12/0%URL Reputationsafe
                      https://23.239.0.12/dllrG4100%Avira URL Cloudmalware
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 0000001A.00000002.639824173.00000267D06EC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001A.00000003.619534396.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.619552540.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://23.239.0.12/dllrG4regsvr32.exe, 00000006.00000002.759302159.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447563134.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.447637597.0000000000C61000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://help.disneyplus.com.svchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://support.hotspotshield.com/svchost.exe, 0000001A.00000003.605333125.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605313773.00000267D0F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605236257.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605355013.00000267D1419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605222554.00000267D0F9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605266639.00000267D1403000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605251329.00000267D1402000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.hotspotshield.com/terms/svchost.exe, 0000001A.00000003.605333125.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605313773.00000267D0F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605236257.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605355013.00000267D1419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605222554.00000267D0F9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605266639.00000267D1403000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605251329.00000267D1402000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.pango.co/privacysvchost.exe, 0000001A.00000003.605333125.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605313773.00000267D0F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605236257.00000267D0FAA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605355013.00000267D1419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605222554.00000267D0F9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605266639.00000267D1403000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.605251329.00000267D1402000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://disneyplus.com/legal.svchost.exe, 0000001A.00000003.610926129.00000267D0F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.610933799.00000267D0F9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.611102190.00000267D0FAC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          23.239.0.12
                          		unknownUnited States
                          		63949LINODE-APLinodeLLCUStrue

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:626495
                          Start date and time: 14/05/202205:08:472022-05-14 05:08:47 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 23s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:vur7t4SumQ.dll
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Run name:Run with higher sleep bypass
                          Number of analysed new started processes analysed:29
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal76.troj.evad.winDLL@24/6@0/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 51
                          • Number of non-executed functions: 213
                          Cookbook Comments:
                          • Found application associated with file extension: .dll
                          • Adjust boot time
                          • Enable AMSI
                          • Sleeps bigger than 120000ms are automatically reduced to 1000ms

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.223.24.244
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          23.239.0.12auExrOTnvB.dllGet hashmaliciousBrowse
                            PvaOeKqrBs.dllGet hashmaliciousBrowse
                              1V4gPPcQvB.dllGet hashmaliciousBrowse
                                Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                    vur7t4SumQ.dllGet hashmaliciousBrowse
                                      3j6e3XaMWM.dllGet hashmaliciousBrowse
                                        wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                          r0hiaXHscs.dllGet hashmaliciousBrowse
                                            TSvDnT6fkE.dllGet hashmaliciousBrowse
                                              Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                2V7zjcga5L.dllGet hashmaliciousBrowse
                                                  RuqTBW6t32.dllGet hashmaliciousBrowse
                                                    yj81rxDZIp.dllGet hashmaliciousBrowse
                                                      3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                        wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                          r0hiaXHscs.dllGet hashmaliciousBrowse
                                                            TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                              x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                Xp7X1Yf3CM.dllGet hashmaliciousBrowse

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  LINODE-APLinodeLLCUSauExrOTnvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  PvaOeKqrBs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  1V4gPPcQvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  vur7t4SumQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Xp7X1Yf3CM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  51c64c77e60f3980eea90869b68c58a8auExrOTnvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  PvaOeKqrBs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  1V4gPPcQvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  vur7t4SumQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  x4ByCNJqst.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Xp7X1Yf3CM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vur_1d0254f19b869b476574097083416095bb4e4c_67e37b4c_10e28517\Report.wer

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):0.7853252679350599
                                                                  Encrypted:false
                                                                  SSDEEP:96:L8F2RtihJPnyMj055oX7R16tpXIQcQE7c6EPrcEYcw3uhXaXz+HbHgSQgJPbFv8L:YWihJKXHK7gPri4jD9/u7saS274ltl8
                                                                  MD5:36992C5F8313BAD891A8B3A034DF02A0
                                                                  SHA1:7EBF35BF836C4E5544D95AEF47AD5E2AE6A215BC
                                                                  SHA-256:53AB8C609A0F45ECCF2C5C4E0118FCB7A991373CBFC031E09D9939C33A7B1517
                                                                  SHA-512:61D68CA44D6F8275EE66216C824A49261A6E54B07E3FDCC4EC4103872E8D23009BC465C064945A8EEC5E1AA2CED5041E2739E23B7734394547EE37B9E5392224
                                                                  Malicious:false
                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.0.0.3.8.1.0.9.4.3.2.3.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.0.0.3.8.1.6.9.4.3.2.3.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.b.5.1.5.0.1.-.5.5.8.9.-.4.7.9.3.-.8.f.9.7.-.0.d.a.0.f.5.f.1.b.4.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.a.0.8.0.a.2.-.f.0.b.0.-.4.9.3.f.-.8.3.e.e.-.7.c.0.7.a.b.9.0.0.4.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.u.r.7.t.4.S.u.m.Q...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.0.-.0.0.0.1.-.0.0.1.8.-.f.e.8.c.-.b.3.8.a.8.b.6.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER74E.tmp.xml

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4892
                                                                  Entropy (8bit):4.495970968997092
                                                                  Encrypted:false
                                                                  SSDEEP:48:cvIwSD8zs0JgtBI9HPWgc8sqYjQ8fm8M4JCLCSinFByq8vhSiy0ZESC5Sad:uITfyFegrsqYpJ7WTVvad
                                                                  MD5:D160E476345F9B3508E61AC3B7A67CA3
                                                                  SHA1:2AEC041CCDCE7384B93F73EB24BABDB4584ACE18
                                                                  SHA-256:20FC91F0F57FF82755369FB92A58C26D223D6B2E5C38160168DB88CFA6719BC0
                                                                  SHA-512:B1DF845831C5B3915012C5DE42770B4FF6D735D4565DE6801C3F7971578658770A602DE8C7BFD0C87139BE6E0CAC5462A5CADD62ECC142204C43801720804DB5
                                                                  Malicious:false
                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1514720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER846.tmp.csv

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):49720
                                                                  Entropy (8bit):3.057673765506511
                                                                  Encrypted:false
                                                                  SSDEEP:1536:lNHpYJ1JgTYc9O7dEunNzCsVpFfIkmA4y1UeECLE2OzTDs:lNHpYJ1JgTYc9O7dEgNzCsVpFfIkmA4s
                                                                  MD5:3CA8A453D002DB55B6B052FA74EF8D93
                                                                  SHA1:8295148567810B85DF3B76C3952041BDFDA4D6E1
                                                                  SHA-256:0715C4615063BBA71854B2576632AE9787B3248673C34D840D6CF0B9EA5C1C00
                                                                  SHA-512:13FFDF11016D7FF5C00F0CCD61780A2F1C129A357C9198285E5F623AFAFF0DCB00D8E898AE1AA32B32D7542DE8CD8A4CE000860CEFEB454169868BE621FB7FB9
                                                                  Malicious:false
                                                                  Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB35.tmp.txt

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):13340
                                                                  Entropy (8bit):2.6978468661231063
                                                                  Encrypted:false
                                                                  SSDEEP:96:kiZYWNOntrEYCYCQW5QXHKYEZsQtFigeZP6wEI8waBfJchqoIlu3:hZDhFT3GI+aZJchqPlu3
                                                                  MD5:40432DD155606652AD13DC018581E5C2
                                                                  SHA1:AC9037CE03ECDFA3A07FA7D9440F1EE3F7D3B702
                                                                  SHA-256:74BAD994F7BC418725394489357CC3F0624B363A85D1C7AB6BE7C9CE6D6B818B
                                                                  SHA-512:5BCD7115239949324304E933857C20ED750345DE4BD879EC5EC4228AD186BE42BF4956C0D0524D4DBA0E4FC95C7542579AA56A43D539AB1807A2B9F80B3EBA4B
                                                                  Malicious:false
                                                                  Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4ED.tmp.dmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:Mini DuMP crash report, 15 streams, Sat May 14 12:10:12 2022, 0x1205a4 type
                                                                  Category:dropped
                                                                  Size (bytes):64750
                                                                  Entropy (8bit):2.2793783948360398
                                                                  Encrypted:false
                                                                  SSDEEP:384:HjgvroVTdIZC1V2+dUNulIMyq7QER/1N2LrT9G:HhRQC1VqkxyeNR/1N2L/4
                                                                  MD5:4DDA173B44B0466472B6A70D20BED3D8
                                                                  SHA1:2DD86236BBDAEF540C0BE6C9287552D626716F4E
                                                                  SHA-256:D69685819F30A40D216084FEBE869ACFF1B26F6286BC97CC1D71D9F2149775BC
                                                                  SHA-512:329EA155487C1783573FE542877F73E0227641CC1C9101C5E36A309492F362D57B51BB09BD0A0B0AD9722F32E16B8384E3B30D6110F51DF089A38689EB51F7FF
                                                                  Malicious:false
                                                                  Preview:MDMP....... .......$..b....................................|...8.......T...L;..........`.......8...........T...........X................"...........$...................................................................U...........B......8%......Lw................\.M...T..............b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFAC.tmp.WERInternalMetadata.xml

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):6662
                                                                  Entropy (8bit):3.7166703916121655
                                                                  Encrypted:false
                                                                  SSDEEP:192:Rrl7r3GLNi0MjCOGMGIYVYS00CprgL89bexXmfZ8hm:RrlsNijCOGMGIYVYS0fA2fb
                                                                  MD5:DDDF30F4BCDD161516461309B3CD9B69
                                                                  SHA1:A34B590A11E1820062954CAA8D636EFEC7A0228C
                                                                  SHA-256:C31AA2E072C7ED7164215216A80AC5EAC3E0F72236078EA2E0E08555899997EE
                                                                  SHA-512:261240D39C6B43B3C9BEF703331C6E5D387263DDFA7F99F2832341DE1A45087B4ABE5514C81BFE4FFA4785C9E2B9E54B004BDD57017E90EEF131AC576C3CA56B
                                                                  Malicious:false
                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.4.<./.P.i.d.>.......

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Entropy (8bit):6.482102345282002
                                                                  TrID:
                                                                  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                  • Win64 Executable (generic) (12005/4) 10.17%
                                                                  • Generic Win/DOS Executable (2004/3) 1.70%
                                                                  • DOS Executable Generic (2002/1) 1.70%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                  File name:vur7t4SumQ.dll
                                                                  File size:545280
                                                                  MD5:b4f74ea581aba7c9e44b4a0053d20bfe
                                                                  SHA1:eec25f21b828ae3aa2cb49dcd418855e98993ad7
                                                                  SHA256:91808c38624d6b8a14a9d86ce4e7fa9815ae08b359748873507db505255c2efe
                                                                  SHA512:92c058cccbd01738d562880f3abbb3876875918f3fd67d9339c611956bab47af35c36cc68bcfbd7cf31774896dff86abcf80b6f69a7c246ed3882ef0f76b9327
                                                                  SSDEEP:12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZWHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVS
                                                                  TLSH:D4C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

                                                                  File Icon

                                                                  Icon Hash:74f0e4ecccdce0e4

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x1800423a8
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x180000000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x627D8598 [Thu May 12 22:09:28 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:2
                                                                  File Version Major:5
                                                                  File Version Minor:2
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:2
                                                                  Import Hash:b268dbaa2e6eb6acd16e04d482356598

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec eax
                                                                  mov dword ptr [esp+08h], ebx
                                                                  dec eax
                                                                  mov dword ptr [esp+10h], esi
                                                                  push edi
                                                                  dec eax
                                                                  sub esp, 20h
                                                                  dec ecx
                                                                  mov edi, eax
                                                                  mov ebx, edx
                                                                  dec eax
                                                                  mov esi, ecx
                                                                  cmp edx, 01h
                                                                  jne 00007FD9B8A95C77h
                                                                  call 00007FD9B8A97E04h
                                                                  dec esp
                                                                  mov eax, edi
                                                                  mov edx, ebx
                                                                  dec eax
                                                                  mov ecx, esi
                                                                  dec eax
                                                                  mov ebx, dword ptr [esp+30h]
                                                                  dec eax
                                                                  mov esi, dword ptr [esp+38h]
                                                                  dec eax
                                                                  add esp, 20h
                                                                  pop edi
                                                                  jmp 00007FD9B8A95B20h
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  dec eax
                                                                  mov dword ptr [esp+08h], ecx
                                                                  dec eax
                                                                  sub esp, 00000088h
                                                                  dec eax
                                                                  lea ecx, dword ptr [00014D05h]
                                                                  call dword ptr [0000FC7Fh]
                                                                  dec esp
                                                                  mov ebx, dword ptr [00014DF0h]
                                                                  dec esp
                                                                  mov dword ptr [esp+58h], ebx
                                                                  inc ebp
                                                                  xor eax, eax
                                                                  dec eax
                                                                  lea edx, dword ptr [esp+60h]
                                                                  dec eax
                                                                  mov ecx, dword ptr [esp+58h]
                                                                  call 00007FD9B8AA47FAh
                                                                  dec eax
                                                                  mov dword ptr [esp+50h], eax
                                                                  dec eax
                                                                  cmp dword ptr [esp+50h], 00000000h
                                                                  je 00007FD9B8A95CB3h
                                                                  dec eax
                                                                  mov dword ptr [esp+38h], 00000000h
                                                                  dec eax
                                                                  lea eax, dword ptr [esp+48h]
                                                                  dec eax
                                                                  mov dword ptr [esp+30h], eax
                                                                  dec eax
                                                                  lea eax, dword ptr [esp+40h]
                                                                  dec eax
                                                                  mov dword ptr [esp+28h], eax
                                                                  dec eax
                                                                  lea eax, dword ptr [00014CB0h]
                                                                  dec eax
                                                                  mov dword ptr [esp+20h], eax
                                                                  dec esp
                                                                  mov ecx, dword ptr [esp+50h]
                                                                  dec esp
                                                                  mov eax, dword ptr [esp+58h]
                                                                  dec eax
                                                                  mov edx, dword ptr [esp+60h]
                                                                  xor ecx, ecx
                                                                  call 00007FD9B8AA47A8h
                                                                  jmp 00007FD9B8A95C94h
                                                                  dec eax
                                                                  mov eax, dword ptr [eax+eax+00000000h]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 build 21022
                                                                  • [LNK] VS2008 build 21022
                                                                  • [ASM] VS2008 build 21022
                                                                  • [IMP] VS2005 build 50727
                                                                  • [RES] VS2008 build 21022
                                                                  • [EXP] VS2008 build 21022
                                                                  • [C++] VS2008 build 21022

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x55cf00x6f.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5544c0x3c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x2dffc.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000xe1c.pdata
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x1d8.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x520000x288.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x504ca0x50600False0.389081940124zlib compressed data5.26882252971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x520000x3d5f0x3e00False0.355279737903data5.39248898629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x560000x20d80x1200False0.180772569444data2.18161586025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .pdata0x590000xe1c0x1000False0.44580078125data4.98556265168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x5a0000x2dffc0x2e000False0.839408542799data7.73448363752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x880000x6f80x800False0.1796875data1.81179169858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_RCDATA0x5a0a00x2de00dataEnglishUnited States
                                                                  RT_MANIFEST0x87ea00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA
                                                                  ole32.dllCoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

                                                                  Exports

                                                                  NameOrdinalAddress
                                                                  DllRegisterServer10x180042050
                                                                  DllUnregisterServer20x180042080

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 14, 2022 05:10:33.005964041 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:33.006011963 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:33.006088972 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:33.106427908 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:33.106457949 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:33.646167040 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:33.646364927 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:35.088674068 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:35.088705063 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:35.088996887 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:35.089067936 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:35.096456051 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:35.136497974 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:35.938894987 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:35.939011097 CEST4434977223.239.0.12192.168.2.6
                                                                  May 14, 2022 05:10:35.939083099 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:35.939132929 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:35.939850092 CEST49772443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:10:35.939879894 CEST4434977223.239.0.12192.168.2.6

                                                                  HTTP Request Dependency Graph

                                                                  • 23.239.0.12

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.64977223.239.0.12443C:\Windows\System32\regsvr32.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-05-14 03:10:35 UTC0OUTGET / HTTP/1.1
                                                                  Cookie: LfcshBB=9K9xNKen7udDeb1J4OQyijqGfmzzXo68BI+bQ+LkDM69N5Z+tt9oOOCK9f/7rt6//U0Vq39OhpiP9jVbw2BTUiRQ7mMr6aTri/fh0NaOk28RU7YJkRTEIVgJRZHGtilk5myUCiBIQeMH+hqUkNDpw/OZ13V75DgTrxKFRTcKMU4qV9d/U8reAX4q7GM5O3IrQvwhgAszodlLlbDAakiFaZE4AFW95EPShqwCclTorVq663gqXvWIBkslURg=
                                                                  Host: 23.239.0.12
                                                                  Connection: Keep-Alive
                                                                  Cache-Control: no-cache
                                                                  2022-05-14 03:10:35 UTC0INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Sat, 14 May 2022 03:10:35 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  2022-05-14 03:10:35 UTC0INData Raw: 33 64 31 0d 0a 32 d8 a9 8b 0b 2e 7e 69 14 a5 d7 19 1f 7b ae ee 4d b3 9d 6c 53 de 58 4f 15 17 74 b0 84 4d 99 6d e8 7d d4 f4 68 54 64 e3 98 8a c8 f6 34 d7 db 2c a3 ff 15 47 3b 76 06 17 08 52 2d cb c4 e1 cb a8 3a 05 ac 49 2f 93 df ce cb 73 41 e6 01 df b3 c5 b7 94 d0 1e 3b 82 d9 11 90 ec 53 92 94 64 9e b2 c6 e6 f2 bd 6c a5 06 97 8d 00 6b ab 5c b0 59 29 a8 dc 46 2d 51 56 7b 59 33 0a 53 8b 42 1e ea d3 e0 54 70 7e a5 1d 6c ca ed d6 07 a6 ff 96 11 85 9d 51 b8 86 6b 90 33 c7 55 53 59 cf 87 29 77 38 02 cf 61 88 e0 07 54 3a d3 3b 62 a5 47 8c ea 14 57 8f b0 0e 09 c7 bf 84 b9 44 48 de 7d 3f 8a 64 a0 21 43 1b 31 1d 98 a6 f5 66 99 46 be bd 22 fc 28 c3 8f ff 68 8c 7e 19 03 cc 92 41 68 c3 d0 82 23 2c 24 d3 0b 9c 84 7d fc c8 e9 6d 7e c3 c3 eb 79 80 ba 9d 5b 90 47 96 73 c4
                                                                  Data Ascii: 3d12.~i{MlSXOtMm}hTd4,G;vR-:I/sA;Sdlk\Y)F-QV{Y3SBTp~lQk3USY)w8aT:;bGWDH}?d!C1fF"(h~Ah#,$}m~y[Gs


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:05:09:57
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\loaddll64.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\vur7t4SumQ.dll"
                                                                  Imagebase:0x7ff7df160000
                                                                  File size:140288 bytes
                                                                  MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:1
                                                                  Start time:05:09:57
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1
                                                                  Imagebase:0x7ff6edbd0000
                                                                  File size:273920 bytes
                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:2
                                                                  Start time:05:09:58
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:regsvr32.exe /s C:\Users\user\Desktop\vur7t4SumQ.dll
                                                                  Imagebase:0x7ff7ea2d0000
                                                                  File size:24064 bytes
                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.385974749.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:3
                                                                  Start time:05:09:58
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vur7t4SumQ.dll",#1
                                                                  Imagebase:0x7ff7e2740000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.383682759.00000225740C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:4
                                                                  Start time:05:09:59
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllRegisterServer
                                                                  Imagebase:0x7ff7e2740000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.384056967.000001D80D4F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:5
                                                                  Start time:05:10:03
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\vur7t4SumQ.dll,DllUnregisterServer
                                                                  Imagebase:0x7ff7e2740000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.391402911.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.474314790.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.474148480.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.391196751.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.390207930.0000025875C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.389604271.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:6
                                                                  Start time:05:10:05
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QpRiewx\dKRLHbLQXAMim.dll"
                                                                  Imagebase:0x7ff7ea2d0000
                                                                  File size:24064 bytes
                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.759523797.0000000002590000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:7
                                                                  Start time:05:10:07
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:8
                                                                  Start time:05:10:08
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\WerFault.exe -pss -s 492 -p 7104 -ip 7104
                                                                  Imagebase:0x7ff7164b0000
                                                                  File size:494488 bytes
                                                                  MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:9
                                                                  Start time:05:10:10
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 7104 -s 336
                                                                  Imagebase:0x7ff7164b0000
                                                                  File size:494488 bytes
                                                                  MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:15
                                                                  Start time:05:10:28
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:16
                                                                  Start time:05:10:37
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:18
                                                                  Start time:05:10:45
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:22
                                                                  Start time:05:11:11
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:26
                                                                  Start time:05:11:36
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:10.7%
                                                                    Dynamic/Decrypted Code Coverage:2.5%
                                                                    Signature Coverage:16.1%
                                                                    Total number of Nodes:684
                                                                    Total number of Limit Nodes:6
                                                                    execution_graph 9669 e00000 9670 e00183 9669->9670 9671 e0043e VirtualAlloc 9670->9671 9675 e00462 9671->9675 9672 e00a7b 9673 e00531 GetNativeSystemInfo 9673->9672 9674 e0056d VirtualAlloc 9673->9674 9679 e0058b 9674->9679 9675->9672 9675->9673 9676 e00a00 9676->9672 9677 e00a56 RtlAddFunctionTable 9676->9677 9677->9672 9678 e009d9 VirtualProtect 9678->9679 9679->9676 9679->9678 9680 7fff2f3c1ee7 9681 7fff2f3c1f13 RtlAllocateHeap 9680->9681 9682 7fff2f3c1f3d RtlDeleteBoundaryDescriptor 9681->9682 9683 7fff2f3c1f5c 9681->9683 9682->9683 9684 180021c3c 9685 180021c97 9684->9685 9688 180001bdc 9685->9688 9687 180021e38 9690 180001c82 9688->9690 9689 180001d21 CreateProcessW 9689->9687 9690->9689 9691 7fff2f3c2290 9693 7fff2f3c22b6 9691->9693 9692 7fff2f3c22f3 9700 7fff2f3c22be 9692->9700 9745 7fff2f381230 9692->9745 9693->9692 9693->9700 9703 7fff2f3c2154 9693->9703 9697 7fff2f3c2335 9698 7fff2f3c2154 126 API calls 9697->9698 9697->9700 9698->9700 9699 7fff2f381230 8 API calls 9701 7fff2f3c2328 9699->9701 9702 7fff2f3c2154 126 API calls 9701->9702 9702->9697 9704 7fff2f3c2162 9703->9704 9705 7fff2f3c21e1 9703->9705 9750 7fff2f3c4110 HeapCreate 9704->9750 9707 7fff2f3c221e 9705->9707 9713 7fff2f3c21e5 9705->9713 9710 7fff2f3c2279 9707->9710 9711 7fff2f3c2223 9707->9711 9709 7fff2f3c216d 9709->9692 9710->9709 9870 7fff2f3c2f50 9710->9870 9843 7fff2f3c3108 9711->9843 9713->9709 9717 7fff2f3c3a48 46 API calls 9713->9717 9716 7fff2f3c2179 _RTC_Initialize 9726 7fff2f3c2189 GetCommandLineA 9716->9726 9737 7fff2f3c217d 9716->9737 9719 7fff2f3c2212 9717->9719 9722 7fff2f3c2c94 48 API calls 9719->9722 9720 7fff2f3c2243 FlsSetValue 9723 7fff2f3c2259 9720->9723 9724 7fff2f3c226f 9720->9724 9725 7fff2f3c2217 9722->9725 9855 7fff2f3c2cbc 9723->9855 9864 7fff2f3c3024 9724->9864 9854 7fff2f3c415c HeapDestroy 9725->9854 9769 7fff2f3c3eec 9726->9769 9848 7fff2f3c415c HeapDestroy 9737->9848 9738 7fff2f3c21b7 9739 7fff2f3c21cb 9738->9739 9822 7fff2f3c3aec 9738->9822 9739->9709 9849 7fff2f3c3a48 9739->9849 9743 7fff2f3c21ab 9807 7fff2f3c2c94 9743->9807 9746 7fff2f381249 _wcsftime_l 9745->9746 9747 7fff2f381276 9746->9747 9748 7fff2f3c20e0 __initmbctable 8 API calls 9747->9748 9749 7fff2f3c203e 9748->9749 9749->9697 9749->9699 9751 7fff2f3c2169 9750->9751 9752 7fff2f3c4134 HeapSetInformation 9750->9752 9751->9709 9753 7fff2f3c2fa0 9751->9753 9752->9751 9876 7fff2f3c36f0 9753->9876 9755 7fff2f3c2fab 9881 7fff2f3c6970 9755->9881 9758 7fff2f3c3014 9760 7fff2f3c2c94 48 API calls 9758->9760 9759 7fff2f3c2fb4 FlsAlloc 9759->9758 9761 7fff2f3c2fcc 9759->9761 9763 7fff2f3c3019 9760->9763 9762 7fff2f3c3108 __wtomb_environ 45 API calls 9761->9762 9764 7fff2f3c2fdb 9762->9764 9763->9716 9764->9758 9765 7fff2f3c2fe3 FlsSetValue 9764->9765 9765->9758 9766 7fff2f3c2ff6 9765->9766 9767 7fff2f3c2cbc _getptd 45 API calls 9766->9767 9768 7fff2f3c3000 GetCurrentThreadId 9767->9768 9768->9763 9770 7fff2f3c3f4d 9769->9770 9771 7fff2f3c3f1b GetEnvironmentStringsW 9769->9771 9772 7fff2f3c3f29 9770->9772 9774 7fff2f3c4010 9770->9774 9771->9772 9773 7fff2f3c3f35 GetLastError 9771->9773 9776 7fff2f3c3f5b GetEnvironmentStringsW 9772->9776 9782 7fff2f3c3f70 WideCharToMultiByte 9772->9782 9773->9770 9775 7fff2f3c401d GetEnvironmentStrings 9774->9775 9780 7fff2f3c219b 9774->9780 9775->9780 9781 7fff2f3c402f 9775->9781 9776->9780 9776->9782 9778 7fff2f3c3fbe 9888 7fff2f3c309c 9778->9888 9779 7fff2f3c3fff 9784 7fff2f3c4002 FreeEnvironmentStringsW 9779->9784 9794 7fff2f3c3758 GetStartupInfoA 9780->9794 9785 7fff2f3c309c __setargv 45 API calls 9781->9785 9782->9778 9782->9779 9784->9780 9786 7fff2f3c4053 9785->9786 9788 7fff2f3c4069 __initmbctable 9786->9788 9789 7fff2f3c405b FreeEnvironmentStringsA 9786->9789 9792 7fff2f3c4077 FreeEnvironmentStringsA 9788->9792 9789->9780 9790 7fff2f3c3fce WideCharToMultiByte 9790->9784 9791 7fff2f3c3ff7 9790->9791 9793 7fff2f3c3024 free 45 API calls 9791->9793 9792->9780 9793->9779 9795 7fff2f3c3108 __wtomb_environ 45 API calls 9794->9795 9796 7fff2f3c3795 9795->9796 9798 7fff2f3c395b 9796->9798 9799 7fff2f3c3108 __wtomb_environ 45 API calls 9796->9799 9805 7fff2f3c38c4 9796->9805 9806 7fff2f3c21a7 9796->9806 9797 7fff2f3c3981 GetStdHandle 9797->9798 9798->9797 9800 7fff2f3c39b0 GetFileType 9798->9800 9801 7fff2f3c3a10 SetHandleCount 9798->9801 9803 7fff2f3c7ee4 _lock InitializeCriticalSectionAndSpinCount 9798->9803 9798->9806 9799->9796 9800->9798 9801->9806 9802 7fff2f3c38f7 GetFileType 9802->9805 9803->9798 9804 7fff2f3c7ee4 _lock InitializeCriticalSectionAndSpinCount 9804->9805 9805->9798 9805->9802 9805->9804 9805->9806 9806->9743 9815 7fff2f3c3df4 9806->9815 9808 7fff2f3c2cb0 9807->9808 9809 7fff2f3c2ca3 FlsFree 9807->9809 9810 7fff2f3c6a2f DeleteCriticalSection 9808->9810 9811 7fff2f3c6a4d 9808->9811 9809->9808 9812 7fff2f3c3024 free 45 API calls 9810->9812 9813 7fff2f3c6a5b DeleteCriticalSection 9811->9813 9814 7fff2f3c6a6a 9811->9814 9812->9808 9813->9811 9814->9737 9816 7fff2f3c3e0c 9815->9816 9817 7fff2f3c3e11 GetModuleFileNameA 9815->9817 10034 7fff2f3c4ecc 9816->10034 9819 7fff2f3c3e43 __setargv 9817->9819 9820 7fff2f3c309c __setargv 45 API calls 9819->9820 9821 7fff2f3c3e97 __setargv 9819->9821 9820->9821 9821->9738 9823 7fff2f3c3b09 9822->9823 9827 7fff2f3c3b0e _FF_MSGBANNER 9822->9827 9824 7fff2f3c4ecc __initmbctable 83 API calls 9823->9824 9824->9827 9825 7fff2f3c21c0 9825->9739 9837 7fff2f3c347c 9825->9837 9826 7fff2f3c3108 __wtomb_environ 45 API calls 9834 7fff2f3c3b4d _FF_MSGBANNER 9826->9834 9827->9825 9827->9826 9828 7fff2f3c3bc6 9829 7fff2f3c3024 free 45 API calls 9828->9829 9829->9825 9830 7fff2f3c3108 __wtomb_environ 45 API calls 9830->9834 9831 7fff2f3c3c02 9832 7fff2f3c3024 free 45 API calls 9831->9832 9832->9825 9833 7fff2f3c7fbc _FF_MSGBANNER 45 API calls 9833->9834 9834->9825 9834->9828 9834->9830 9834->9831 9834->9833 9835 7fff2f3c3ba2 9834->9835 9836 7fff2f3c6550 _FF_MSGBANNER 6 API calls 9835->9836 9836->9834 9838 7fff2f3c3492 _cinit 9837->9838 10438 7fff2f3c73f4 9838->10438 9840 7fff2f3c34af _initterm_e 9842 7fff2f3c34d2 _cinit 9840->9842 10441 7fff2f3c73dc 9840->10441 9842->9739 9844 7fff2f3c312d 9843->9844 9846 7fff2f3c2237 9844->9846 9847 7fff2f3c314b Sleep 9844->9847 10458 7fff2f3c6cec 9844->10458 9846->9709 9846->9720 9847->9844 9847->9846 9848->9709 9851 7fff2f3c3a59 9849->9851 9850 7fff2f3c3aa8 9850->9743 9851->9850 9852 7fff2f3c3024 free 45 API calls 9851->9852 9853 7fff2f3c3a70 DeleteCriticalSection 9851->9853 9852->9851 9853->9851 9854->9709 9856 7fff2f3c6ba0 _lock 45 API calls 9855->9856 9857 7fff2f3c2d11 9856->9857 10467 7fff2f3c6a80 LeaveCriticalSection 9857->10467 9865 7fff2f3c3029 HeapFree 9864->9865 9866 7fff2f3c3059 realloc 9864->9866 9865->9866 9867 7fff2f3c3044 9865->9867 9866->9709 9868 7fff2f3c67e0 _errno 43 API calls 9867->9868 9869 7fff2f3c3049 GetLastError 9868->9869 9869->9866 9871 7fff2f3c2f88 9870->9871 9872 7fff2f3c2f64 9870->9872 9871->9709 9873 7fff2f3c2f69 FlsGetValue 9872->9873 9874 7fff2f3c2f78 FlsSetValue 9872->9874 9873->9874 10468 7fff2f3c2e18 9874->10468 9885 7fff2f3c2c5c EncodePointer 9876->9885 9878 7fff2f3c36fb _initp_misc_winsig 9879 7fff2f3c755c EncodePointer 9878->9879 9880 7fff2f3c373e EncodePointer 9879->9880 9880->9755 9882 7fff2f3c6993 9881->9882 9884 7fff2f3c2fb0 9882->9884 9886 7fff2f3c7ee4 InitializeCriticalSectionAndSpinCount 9882->9886 9884->9758 9884->9759 9887 7fff2f3c7f11 9886->9887 9887->9882 9889 7fff2f3c30b8 9888->9889 9891 7fff2f3c30f0 9889->9891 9892 7fff2f3c30d0 Sleep 9889->9892 9893 7fff2f3c6c34 9889->9893 9891->9779 9891->9790 9892->9889 9892->9891 9894 7fff2f3c6cc8 realloc 9893->9894 9902 7fff2f3c6c4c realloc 9893->9902 9897 7fff2f3c67e0 _errno 44 API calls 9894->9897 9895 7fff2f3c6c84 RtlAllocateHeap 9898 7fff2f3c6cbd 9895->9898 9895->9902 9897->9898 9898->9889 9899 7fff2f3c6cad 9952 7fff2f3c67e0 9899->9952 9902->9895 9902->9899 9903 7fff2f3c6cb2 9902->9903 9904 7fff2f3c6c64 9902->9904 9906 7fff2f3c67e0 _errno 44 API calls 9903->9906 9904->9895 9907 7fff2f3c7160 9904->9907 9916 7fff2f3c6f0c 9904->9916 9949 7fff2f3c334c 9904->9949 9906->9898 9955 7fff2f3cd2ac 9907->9955 9910 7fff2f3cd2ac _FF_MSGBANNER 45 API calls 9914 7fff2f3c717d 9910->9914 9911 7fff2f3c6f0c _FF_MSGBANNER 45 API calls 9912 7fff2f3c7194 9911->9912 9915 7fff2f3c6f0c _FF_MSGBANNER 45 API calls 9912->9915 9913 7fff2f3c719e 9913->9904 9914->9911 9914->9913 9915->9913 9917 7fff2f3c6f2f 9916->9917 9918 7fff2f3cd2ac _FF_MSGBANNER 42 API calls 9917->9918 9948 7fff2f3c70d4 9917->9948 9919 7fff2f3c6f51 9918->9919 9920 7fff2f3c70d6 GetStdHandle 9919->9920 9921 7fff2f3cd2ac _FF_MSGBANNER 42 API calls 9919->9921 9924 7fff2f3c70e9 _FF_MSGBANNER 9920->9924 9920->9948 9922 7fff2f3c6f64 9921->9922 9922->9920 9923 7fff2f3c6f75 9922->9923 9923->9948 9974 7fff2f3c7fbc 9923->9974 9925 7fff2f3c70ff WriteFile 9924->9925 9924->9948 9925->9948 9928 7fff2f3c6fb9 GetModuleFileNameA 9930 7fff2f3c6fd9 9928->9930 9933 7fff2f3c700a _FF_MSGBANNER 9928->9933 9929 7fff2f3c6550 _FF_MSGBANNER 6 API calls 9929->9928 9931 7fff2f3c7fbc _FF_MSGBANNER 42 API calls 9930->9931 9932 7fff2f3c6ff1 9931->9932 9932->9933 9935 7fff2f3c6550 _FF_MSGBANNER 6 API calls 9932->9935 9934 7fff2f3c7065 9933->9934 9983 7fff2f3cbf14 9933->9983 9992 7fff2f3cbdf4 9934->9992 9935->9933 9939 7fff2f3c7090 9941 7fff2f3cbdf4 _FF_MSGBANNER 42 API calls 9939->9941 9940 7fff2f3c6550 _FF_MSGBANNER 6 API calls 9940->9939 9943 7fff2f3c70a6 9941->9943 9944 7fff2f3c70bf 9943->9944 9946 7fff2f3c6550 _FF_MSGBANNER 6 API calls 9943->9946 10001 7fff2f3cd0b8 9944->10001 9945 7fff2f3c6550 _FF_MSGBANNER 6 API calls 9945->9934 9946->9944 9948->9904 10019 7fff2f3c3310 GetModuleHandleW 9949->10019 10022 7fff2f3c2d70 GetLastError FlsGetValue 9952->10022 9954 7fff2f3c67e9 9954->9903 9956 7fff2f3cd2b4 9955->9956 9957 7fff2f3c716e 9956->9957 9958 7fff2f3c67e0 _errno 45 API calls 9956->9958 9957->9910 9957->9914 9959 7fff2f3cd2d9 9958->9959 9961 7fff2f3c66d8 DecodePointer 9959->9961 9962 7fff2f3c6709 9961->9962 9963 7fff2f3c6723 _invalid_parameter_noinfo 9961->9963 9962->9957 9965 7fff2f3c6550 9963->9965 9972 7fff2f3c87a0 9965->9972 9968 7fff2f3c65ad 9969 7fff2f3c660d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9968->9969 9970 7fff2f3c6658 GetCurrentProcess TerminateProcess 9969->9970 9971 7fff2f3c664c _invalid_parameter_noinfo 9969->9971 9970->9962 9971->9970 9973 7fff2f3c6570 RtlCaptureContext 9972->9973 9973->9968 9975 7fff2f3c7fc7 9974->9975 9976 7fff2f3c7fd1 9974->9976 9975->9976 9981 7fff2f3c7ffd 9975->9981 9977 7fff2f3c67e0 _errno 45 API calls 9976->9977 9978 7fff2f3c7fd9 9977->9978 9979 7fff2f3c66d8 _invalid_parameter_noinfo 7 API calls 9978->9979 9980 7fff2f3c6fa0 9979->9980 9980->9928 9980->9929 9981->9980 9982 7fff2f3c67e0 _errno 45 API calls 9981->9982 9982->9978 9986 7fff2f3cbf22 9983->9986 9984 7fff2f3cbf27 9985 7fff2f3c67e0 _errno 45 API calls 9984->9985 9987 7fff2f3c704c 9984->9987 9991 7fff2f3cbf51 9985->9991 9986->9984 9986->9987 9989 7fff2f3cbf75 9986->9989 9987->9934 9987->9945 9988 7fff2f3c66d8 _invalid_parameter_noinfo 7 API calls 9988->9987 9989->9987 9990 7fff2f3c67e0 _errno 45 API calls 9989->9990 9990->9991 9991->9988 9993 7fff2f3cbe0c 9992->9993 9996 7fff2f3cbe02 9992->9996 9994 7fff2f3c67e0 _errno 45 API calls 9993->9994 9995 7fff2f3cbe14 9994->9995 9997 7fff2f3c66d8 _invalid_parameter_noinfo 7 API calls 9995->9997 9996->9993 9998 7fff2f3cbe50 9996->9998 9999 7fff2f3c7077 9997->9999 9998->9999 10000 7fff2f3c67e0 _errno 45 API calls 9998->10000 9999->9939 9999->9940 10000->9995 10018 7fff2f3c2c5c EncodePointer 10001->10018 10020 7fff2f3c332a GetProcAddress 10019->10020 10021 7fff2f3c333f ExitProcess 10019->10021 10020->10021 10023 7fff2f3c2dde SetLastError 10022->10023 10024 7fff2f3c2d96 10022->10024 10023->9954 10025 7fff2f3c3108 __wtomb_environ 40 API calls 10024->10025 10026 7fff2f3c2da3 10025->10026 10026->10023 10027 7fff2f3c2dab FlsSetValue 10026->10027 10028 7fff2f3c2dd7 10027->10028 10029 7fff2f3c2dc1 10027->10029 10031 7fff2f3c3024 free 40 API calls 10028->10031 10030 7fff2f3c2cbc _getptd 40 API calls 10029->10030 10033 7fff2f3c2dc8 GetCurrentThreadId 10030->10033 10032 7fff2f3c2ddc 10031->10032 10032->10023 10033->10023 10035 7fff2f3c4ed9 10034->10035 10036 7fff2f3c4ee3 10034->10036 10038 7fff2f3c4cd4 10035->10038 10036->9817 10062 7fff2f3c2df4 10038->10062 10045 7fff2f3c4e81 10045->10036 10046 7fff2f3c309c __setargv 45 API calls 10047 7fff2f3c4d24 __initmbctable 10046->10047 10047->10045 10085 7fff2f3c4a0c 10047->10085 10050 7fff2f3c4d5f 10055 7fff2f3c3024 free 45 API calls 10050->10055 10056 7fff2f3c4d84 10050->10056 10051 7fff2f3c4e83 10051->10045 10052 7fff2f3c4e9c 10051->10052 10053 7fff2f3c3024 free 45 API calls 10051->10053 10054 7fff2f3c67e0 _errno 45 API calls 10052->10054 10053->10052 10054->10045 10055->10056 10056->10045 10095 7fff2f3c6ba0 10056->10095 10063 7fff2f3c2d70 _getptd 45 API calls 10062->10063 10064 7fff2f3c2dff 10063->10064 10065 7fff2f3c2e0f 10064->10065 10101 7fff2f3c32e0 10064->10101 10067 7fff2f3c48c0 10065->10067 10068 7fff2f3c2df4 _getptd 45 API calls 10067->10068 10069 7fff2f3c48cf 10068->10069 10070 7fff2f3c6ba0 _lock 45 API calls 10069->10070 10072 7fff2f3c48ea 10069->10072 10076 7fff2f3c48fd 10070->10076 10071 7fff2f3c496e 10078 7fff2f3c497c 10071->10078 10072->10071 10075 7fff2f3c32e0 _getptd 45 API calls 10072->10075 10073 7fff2f3c4934 10106 7fff2f3c6a80 LeaveCriticalSection 10073->10106 10075->10071 10076->10073 10077 7fff2f3c3024 free 45 API calls 10076->10077 10077->10073 10107 7fff2f3c2534 10078->10107 10081 7fff2f3c499c GetOEMCP 10084 7fff2f3c49ac 10081->10084 10082 7fff2f3c49c1 10083 7fff2f3c49c6 GetACP 10082->10083 10082->10084 10083->10084 10084->10045 10084->10046 10086 7fff2f3c497c __initmbctable 47 API calls 10085->10086 10087 7fff2f3c4a33 10086->10087 10088 7fff2f3c4a3b __initmbctable 10087->10088 10090 7fff2f3c4a8c IsValidCodePage 10087->10090 10094 7fff2f3c4ab2 _FF_MSGBANNER 10087->10094 10284 7fff2f3c20e0 10088->10284 10090->10088 10092 7fff2f3c4a9d GetCPInfo 10090->10092 10091 7fff2f3c4c6f 10091->10050 10091->10051 10092->10088 10092->10094 10274 7fff2f3c46dc GetCPInfo 10094->10274 10096 7fff2f3c6bbe 10095->10096 10097 7fff2f3c6bcf EnterCriticalSection 10095->10097 10412 7fff2f3c6ab8 10096->10412 10100 7fff2f3c32e0 _getptd 44 API calls 10100->10097 10102 7fff2f3c7160 _FF_MSGBANNER 44 API calls 10101->10102 10103 7fff2f3c32ed 10102->10103 10104 7fff2f3c6f0c _FF_MSGBANNER 44 API calls 10103->10104 10105 7fff2f3c32f4 DecodePointer 10104->10105 10108 7fff2f3c254a 10107->10108 10112 7fff2f3c25ae 10107->10112 10109 7fff2f3c2df4 _getptd 45 API calls 10108->10109 10110 7fff2f3c254f 10109->10110 10111 7fff2f3c2587 10110->10111 10115 7fff2f3c524c 10110->10115 10111->10112 10114 7fff2f3c48c0 __initmbctable 45 API calls 10111->10114 10112->10081 10112->10082 10114->10112 10116 7fff2f3c2df4 _getptd 45 API calls 10115->10116 10117 7fff2f3c5257 10116->10117 10118 7fff2f3c5280 10117->10118 10120 7fff2f3c5272 10117->10120 10119 7fff2f3c6ba0 _lock 45 API calls 10118->10119 10121 7fff2f3c528a 10119->10121 10122 7fff2f3c2df4 _getptd 45 API calls 10120->10122 10129 7fff2f3c51f4 10121->10129 10124 7fff2f3c5277 10122->10124 10127 7fff2f3c52b8 10124->10127 10128 7fff2f3c32e0 _getptd 45 API calls 10124->10128 10127->10111 10128->10127 10130 7fff2f3c523e 10129->10130 10131 7fff2f3c5202 localeconv 10129->10131 10133 7fff2f3c6a80 LeaveCriticalSection 10130->10133 10131->10130 10134 7fff2f3c4f04 10131->10134 10135 7fff2f3c4f9b 10134->10135 10137 7fff2f3c4f22 10134->10137 10136 7fff2f3c4fee 10135->10136 10138 7fff2f3c3024 free 45 API calls 10135->10138 10148 7fff2f3c501b 10136->10148 10186 7fff2f3c98a4 10136->10186 10137->10135 10147 7fff2f3c3024 free 45 API calls 10137->10147 10150 7fff2f3c4f61 10137->10150 10140 7fff2f3c4fbf 10138->10140 10142 7fff2f3c3024 free 45 API calls 10140->10142 10149 7fff2f3c4fd3 10142->10149 10143 7fff2f3c4f83 10145 7fff2f3c3024 free 45 API calls 10143->10145 10144 7fff2f3c5067 10151 7fff2f3c4f8f 10145->10151 10146 7fff2f3c3024 free 45 API calls 10146->10148 10152 7fff2f3c4f55 10147->10152 10148->10144 10159 7fff2f3c3024 45 API calls free 10148->10159 10153 7fff2f3c3024 free 45 API calls 10149->10153 10150->10143 10154 7fff2f3c3024 free 45 API calls 10150->10154 10155 7fff2f3c3024 free 45 API calls 10151->10155 10162 7fff2f3c9df8 10152->10162 10157 7fff2f3c4fe2 10153->10157 10158 7fff2f3c4f77 10154->10158 10155->10135 10161 7fff2f3c3024 free 45 API calls 10157->10161 10178 7fff2f3c9b68 10158->10178 10159->10148 10161->10136 10163 7fff2f3c9e87 10162->10163 10164 7fff2f3c9e01 10162->10164 10163->10150 10165 7fff2f3c9e1b 10164->10165 10166 7fff2f3c3024 free 45 API calls 10164->10166 10167 7fff2f3c9e2d 10165->10167 10168 7fff2f3c3024 free 45 API calls 10165->10168 10166->10165 10169 7fff2f3c9e3f 10167->10169 10170 7fff2f3c3024 free 45 API calls 10167->10170 10168->10167 10171 7fff2f3c9e51 10169->10171 10172 7fff2f3c3024 free 45 API calls 10169->10172 10170->10169 10173 7fff2f3c9e63 10171->10173 10175 7fff2f3c3024 free 45 API calls 10171->10175 10172->10171 10174 7fff2f3c9e75 10173->10174 10176 7fff2f3c3024 free 45 API calls 10173->10176 10174->10163 10177 7fff2f3c3024 free 45 API calls 10174->10177 10175->10173 10176->10174 10177->10163 10179 7fff2f3c9b6d 10178->10179 10183 7fff2f3c9baa 10178->10183 10180 7fff2f3c9b86 10179->10180 10181 7fff2f3c3024 free 45 API calls 10179->10181 10182 7fff2f3c3024 free 45 API calls 10180->10182 10184 7fff2f3c9b98 10180->10184 10181->10180 10182->10184 10183->10143 10184->10183 10185 7fff2f3c3024 free 45 API calls 10184->10185 10185->10183 10187 7fff2f3c98ad 10186->10187 10273 7fff2f3c500f 10186->10273 10188 7fff2f3c3024 free 45 API calls 10187->10188 10189 7fff2f3c98be 10188->10189 10190 7fff2f3c3024 free 45 API calls 10189->10190 10191 7fff2f3c98c7 10190->10191 10192 7fff2f3c3024 free 45 API calls 10191->10192 10193 7fff2f3c98d0 10192->10193 10194 7fff2f3c3024 free 45 API calls 10193->10194 10195 7fff2f3c98d9 10194->10195 10196 7fff2f3c3024 free 45 API calls 10195->10196 10197 7fff2f3c98e2 10196->10197 10198 7fff2f3c3024 free 45 API calls 10197->10198 10199 7fff2f3c98eb 10198->10199 10200 7fff2f3c3024 free 45 API calls 10199->10200 10201 7fff2f3c98f3 10200->10201 10202 7fff2f3c3024 free 45 API calls 10201->10202 10203 7fff2f3c98fc 10202->10203 10204 7fff2f3c3024 free 45 API calls 10203->10204 10205 7fff2f3c9905 10204->10205 10206 7fff2f3c3024 free 45 API calls 10205->10206 10207 7fff2f3c990e 10206->10207 10208 7fff2f3c3024 free 45 API calls 10207->10208 10209 7fff2f3c9917 10208->10209 10210 7fff2f3c3024 free 45 API calls 10209->10210 10211 7fff2f3c9920 10210->10211 10212 7fff2f3c3024 free 45 API calls 10211->10212 10213 7fff2f3c9929 10212->10213 10214 7fff2f3c3024 free 45 API calls 10213->10214 10215 7fff2f3c9932 10214->10215 10216 7fff2f3c3024 free 45 API calls 10215->10216 10217 7fff2f3c993b 10216->10217 10218 7fff2f3c3024 free 45 API calls 10217->10218 10219 7fff2f3c9944 10218->10219 10220 7fff2f3c3024 free 45 API calls 10219->10220 10221 7fff2f3c9950 10220->10221 10222 7fff2f3c3024 free 45 API calls 10221->10222 10223 7fff2f3c995c 10222->10223 10224 7fff2f3c3024 free 45 API calls 10223->10224 10225 7fff2f3c9968 10224->10225 10226 7fff2f3c3024 free 45 API calls 10225->10226 10227 7fff2f3c9974 10226->10227 10228 7fff2f3c3024 free 45 API calls 10227->10228 10229 7fff2f3c9980 10228->10229 10230 7fff2f3c3024 free 45 API calls 10229->10230 10231 7fff2f3c998c 10230->10231 10232 7fff2f3c3024 free 45 API calls 10231->10232 10233 7fff2f3c9998 10232->10233 10234 7fff2f3c3024 free 45 API calls 10233->10234 10235 7fff2f3c99a4 10234->10235 10236 7fff2f3c3024 free 45 API calls 10235->10236 10237 7fff2f3c99b0 10236->10237 10238 7fff2f3c3024 free 45 API calls 10237->10238 10239 7fff2f3c99bc 10238->10239 10240 7fff2f3c3024 free 45 API calls 10239->10240 10241 7fff2f3c99c8 10240->10241 10242 7fff2f3c3024 free 45 API calls 10241->10242 10243 7fff2f3c99d4 10242->10243 10244 7fff2f3c3024 free 45 API calls 10243->10244 10245 7fff2f3c99e0 10244->10245 10246 7fff2f3c3024 free 45 API calls 10245->10246 10247 7fff2f3c99ec 10246->10247 10248 7fff2f3c3024 free 45 API calls 10247->10248 10249 7fff2f3c99f8 10248->10249 10250 7fff2f3c3024 free 45 API calls 10249->10250 10251 7fff2f3c9a04 10250->10251 10252 7fff2f3c3024 free 45 API calls 10251->10252 10253 7fff2f3c9a10 10252->10253 10254 7fff2f3c3024 free 45 API calls 10253->10254 10255 7fff2f3c9a1c 10254->10255 10256 7fff2f3c3024 free 45 API calls 10255->10256 10257 7fff2f3c9a28 10256->10257 10258 7fff2f3c3024 free 45 API calls 10257->10258 10259 7fff2f3c9a34 10258->10259 10260 7fff2f3c3024 free 45 API calls 10259->10260 10261 7fff2f3c9a40 10260->10261 10262 7fff2f3c3024 free 45 API calls 10261->10262 10263 7fff2f3c9a4c 10262->10263 10264 7fff2f3c3024 free 45 API calls 10263->10264 10265 7fff2f3c9a58 10264->10265 10266 7fff2f3c3024 free 45 API calls 10265->10266 10267 7fff2f3c9a64 10266->10267 10268 7fff2f3c3024 free 45 API calls 10267->10268 10269 7fff2f3c9a70 10268->10269 10270 7fff2f3c3024 free 45 API calls 10269->10270 10271 7fff2f3c9a7c 10270->10271 10272 7fff2f3c3024 free 45 API calls 10271->10272 10272->10273 10273->10146 10275 7fff2f3c471e _FF_MSGBANNER 10274->10275 10283 7fff2f3c480a 10274->10283 10295 7fff2f3c91a0 10275->10295 10278 7fff2f3c20e0 __initmbctable 8 API calls 10280 7fff2f3c48aa 10278->10280 10280->10088 10282 7fff2f3c8e9c __initmbctable 78 API calls 10282->10283 10283->10278 10285 7fff2f3c20e9 10284->10285 10286 7fff2f3c20f4 10285->10286 10287 7fff2f3c23e8 RtlCaptureContext RtlLookupFunctionEntry 10285->10287 10286->10091 10288 7fff2f3c246d 10287->10288 10289 7fff2f3c242c RtlVirtualUnwind 10287->10289 10290 7fff2f3c248f IsDebuggerPresent 10288->10290 10289->10290 10411 7fff2f3c460c 10290->10411 10292 7fff2f3c24ee SetUnhandledExceptionFilter UnhandledExceptionFilter 10293 7fff2f3c250c _invalid_parameter_noinfo 10292->10293 10294 7fff2f3c2516 GetCurrentProcess TerminateProcess 10292->10294 10293->10294 10294->10091 10296 7fff2f3c2534 _wcstoui64_l 45 API calls 10295->10296 10297 7fff2f3c91c4 10296->10297 10305 7fff2f3c8f34 10297->10305 10300 7fff2f3c8e9c 10301 7fff2f3c2534 _wcstoui64_l 45 API calls 10300->10301 10302 7fff2f3c8ec0 10301->10302 10364 7fff2f3c895c 10302->10364 10306 7fff2f3c8f84 GetStringTypeW 10305->10306 10307 7fff2f3c8fc1 10305->10307 10308 7fff2f3c8f9e 10306->10308 10309 7fff2f3c8fa6 GetLastError 10306->10309 10307->10308 10310 7fff2f3c90f0 10307->10310 10311 7fff2f3c8fea MultiByteToWideChar 10308->10311 10320 7fff2f3c90e9 10308->10320 10309->10307 10329 7fff2f3ce1e8 GetLocaleInfoA 10310->10329 10317 7fff2f3c9018 10311->10317 10311->10320 10314 7fff2f3c20e0 __initmbctable 8 API calls 10315 7fff2f3c47a1 10314->10315 10315->10300 10316 7fff2f3c914b GetStringTypeA 10319 7fff2f3c916e 10316->10319 10316->10320 10321 7fff2f3c6c34 realloc 45 API calls 10317->10321 10327 7fff2f3c903d _wcsftime_l _FF_MSGBANNER 10317->10327 10324 7fff2f3c3024 free 45 API calls 10319->10324 10320->10314 10321->10327 10322 7fff2f3c90a4 MultiByteToWideChar 10325 7fff2f3c90db 10322->10325 10326 7fff2f3c90c6 GetStringTypeW 10322->10326 10324->10320 10325->10320 10328 7fff2f3c3024 free 45 API calls 10325->10328 10326->10325 10327->10320 10327->10322 10328->10320 10330 7fff2f3ce21a 10329->10330 10331 7fff2f3ce21f 10329->10331 10333 7fff2f3c20e0 __initmbctable 8 API calls 10330->10333 10360 7fff2f3c2100 10331->10360 10334 7fff2f3c911a 10333->10334 10334->10316 10334->10320 10335 7fff2f3ce23c 10334->10335 10336 7fff2f3ce28e GetCPInfo 10335->10336 10337 7fff2f3ce366 10335->10337 10338 7fff2f3ce33f MultiByteToWideChar 10336->10338 10339 7fff2f3ce2a0 10336->10339 10340 7fff2f3c20e0 __initmbctable 8 API calls 10337->10340 10338->10337 10346 7fff2f3ce2c5 _FF_MSGBANNER 10338->10346 10339->10338 10341 7fff2f3ce2aa GetCPInfo 10339->10341 10342 7fff2f3c9140 10340->10342 10341->10338 10343 7fff2f3ce2bf 10341->10343 10342->10316 10342->10320 10343->10338 10343->10346 10344 7fff2f3c6c34 realloc 45 API calls 10347 7fff2f3ce301 _wcsftime_l _FF_MSGBANNER 10344->10347 10345 7fff2f3ce39d MultiByteToWideChar 10348 7fff2f3ce3c7 10345->10348 10349 7fff2f3ce3ff 10345->10349 10346->10344 10346->10347 10347->10337 10347->10345 10350 7fff2f3ce3cc WideCharToMultiByte 10348->10350 10351 7fff2f3ce407 10348->10351 10349->10337 10352 7fff2f3c3024 free 45 API calls 10349->10352 10350->10349 10353 7fff2f3ce40d WideCharToMultiByte 10351->10353 10354 7fff2f3ce439 10351->10354 10352->10337 10353->10349 10353->10354 10355 7fff2f3c3108 __wtomb_environ 45 API calls 10354->10355 10356 7fff2f3ce446 10355->10356 10356->10349 10357 7fff2f3ce44e WideCharToMultiByte 10356->10357 10357->10349 10358 7fff2f3ce477 10357->10358 10359 7fff2f3c3024 free 45 API calls 10358->10359 10359->10349 10361 7fff2f3c287c 10360->10361 10362 7fff2f3c25f8 _wcstoui64_l 67 API calls 10361->10362 10363 7fff2f3c28a7 10362->10363 10363->10330 10365 7fff2f3c89b4 LCMapStringW 10364->10365 10368 7fff2f3c89d8 10364->10368 10366 7fff2f3c89e4 GetLastError 10365->10366 10365->10368 10366->10368 10367 7fff2f3c8ca6 10371 7fff2f3ce1e8 _wcstoui64_l 67 API calls 10367->10371 10368->10367 10369 7fff2f3c8a53 10368->10369 10370 7fff2f3c8c9f 10369->10370 10372 7fff2f3c8a71 MultiByteToWideChar 10369->10372 10373 7fff2f3c20e0 __initmbctable 8 API calls 10370->10373 10374 7fff2f3c8cd4 10371->10374 10372->10370 10381 7fff2f3c8aa0 10372->10381 10375 7fff2f3c47d4 10373->10375 10374->10370 10377 7fff2f3c8cf3 10374->10377 10378 7fff2f3c8e2f LCMapStringA 10374->10378 10375->10282 10376 7fff2f3c8b1c MultiByteToWideChar 10379 7fff2f3c8b46 LCMapStringW 10376->10379 10380 7fff2f3c8c91 10376->10380 10382 7fff2f3ce23c _wcstoui64_l 60 API calls 10377->10382 10393 7fff2f3c8d3b 10378->10393 10379->10380 10383 7fff2f3c8b70 10379->10383 10380->10370 10388 7fff2f3c3024 free 45 API calls 10380->10388 10384 7fff2f3c8ad1 _wcsftime_l 10381->10384 10385 7fff2f3c6c34 realloc 45 API calls 10381->10385 10386 7fff2f3c8d0b 10382->10386 10389 7fff2f3c8b7b 10383->10389 10396 7fff2f3c8bb6 10383->10396 10384->10370 10384->10376 10385->10384 10386->10370 10390 7fff2f3c8d13 LCMapStringA 10386->10390 10387 7fff2f3c8e5f 10387->10370 10394 7fff2f3c3024 free 45 API calls 10387->10394 10388->10370 10389->10380 10392 7fff2f3c8b92 LCMapStringW 10389->10392 10390->10393 10398 7fff2f3c8d42 10390->10398 10391 7fff2f3c3024 free 45 API calls 10391->10387 10392->10380 10393->10387 10393->10391 10394->10370 10395 7fff2f3c8c23 LCMapStringW 10399 7fff2f3c8c83 10395->10399 10400 7fff2f3c8c44 WideCharToMultiByte 10395->10400 10397 7fff2f3c6c34 realloc 45 API calls 10396->10397 10404 7fff2f3c8bd4 _wcsftime_l 10396->10404 10397->10404 10402 7fff2f3c8d63 _wcsftime_l _FF_MSGBANNER 10398->10402 10403 7fff2f3c6c34 realloc 45 API calls 10398->10403 10399->10380 10408 7fff2f3c3024 free 45 API calls 10399->10408 10400->10399 10401 7fff2f3c8dc5 LCMapStringA 10405 7fff2f3c8ded 10401->10405 10406 7fff2f3c8df1 10401->10406 10402->10393 10402->10401 10403->10402 10404->10380 10404->10395 10405->10393 10410 7fff2f3c3024 free 45 API calls 10405->10410 10409 7fff2f3ce23c _wcstoui64_l 60 API calls 10406->10409 10408->10380 10409->10405 10410->10393 10411->10292 10413 7fff2f3c6adf 10412->10413 10414 7fff2f3c6af6 10412->10414 10415 7fff2f3c7160 _FF_MSGBANNER 44 API calls 10413->10415 10416 7fff2f3c6b0b 10414->10416 10418 7fff2f3c309c __setargv 44 API calls 10414->10418 10417 7fff2f3c6ae4 10415->10417 10416->10097 10416->10100 10419 7fff2f3c6f0c _FF_MSGBANNER 44 API calls 10417->10419 10420 7fff2f3c6b19 10418->10420 10421 7fff2f3c6aec 10419->10421 10422 7fff2f3c6b21 10420->10422 10423 7fff2f3c6b30 10420->10423 10425 7fff2f3c334c _lock 3 API calls 10421->10425 10426 7fff2f3c67e0 _errno 44 API calls 10422->10426 10424 7fff2f3c6ba0 _lock 44 API calls 10423->10424 10427 7fff2f3c6b3a 10424->10427 10425->10414 10426->10416 10428 7fff2f3c6b72 10427->10428 10429 7fff2f3c6b43 10427->10429 10431 7fff2f3c3024 free 44 API calls 10428->10431 10430 7fff2f3c7ee4 _lock InitializeCriticalSectionAndSpinCount 10429->10430 10432 7fff2f3c6b50 10430->10432 10437 7fff2f3c6b61 LeaveCriticalSection 10431->10437 10434 7fff2f3c3024 free 44 API calls 10432->10434 10432->10437 10435 7fff2f3c6b5c 10434->10435 10436 7fff2f3c67e0 _errno 44 API calls 10435->10436 10436->10437 10437->10416 10439 7fff2f3c740a EncodePointer 10438->10439 10439->10439 10440 7fff2f3c741f 10439->10440 10440->9840 10444 7fff2f3c72d4 10441->10444 10457 7fff2f3c3364 10444->10457 10459 7fff2f3c6d01 10458->10459 10460 7fff2f3c6d33 realloc 10458->10460 10459->10460 10461 7fff2f3c6d0f 10459->10461 10463 7fff2f3c6d4b RtlAllocateHeap 10460->10463 10466 7fff2f3c6d2f 10460->10466 10462 7fff2f3c67e0 _errno 44 API calls 10461->10462 10464 7fff2f3c6d14 10462->10464 10463->10460 10463->10466 10465 7fff2f3c66d8 _invalid_parameter_noinfo 7 API calls 10464->10465 10465->10466 10466->9844 10469 7fff2f3c2e21 10468->10469 10497 7fff2f3c2f42 10468->10497 10470 7fff2f3c3024 free 45 API calls 10469->10470 10471 7fff2f3c2e3c 10469->10471 10470->10471 10472 7fff2f3c3024 free 45 API calls 10471->10472 10474 7fff2f3c2e4a 10471->10474 10472->10474 10473 7fff2f3c2e58 10475 7fff2f3c2e66 10473->10475 10477 7fff2f3c3024 free 45 API calls 10473->10477 10474->10473 10476 7fff2f3c3024 free 45 API calls 10474->10476 10478 7fff2f3c2e74 10475->10478 10479 7fff2f3c3024 free 45 API calls 10475->10479 10476->10473 10477->10475 10480 7fff2f3c2e82 10478->10480 10481 7fff2f3c3024 free 45 API calls 10478->10481 10479->10478 10482 7fff2f3c2e93 10480->10482 10483 7fff2f3c3024 free 45 API calls 10480->10483 10481->10480 10484 7fff2f3c2eab 10482->10484 10485 7fff2f3c3024 free 45 API calls 10482->10485 10483->10482 10486 7fff2f3c6ba0 _lock 45 API calls 10484->10486 10485->10484 10489 7fff2f3c2eb5 10486->10489 10487 7fff2f3c2ee3 10500 7fff2f3c6a80 LeaveCriticalSection 10487->10500 10489->10487 10491 7fff2f3c3024 free 45 API calls 10489->10491 10491->10487 10497->9871 10501 7fff2f3c2050 10504 7fff2f381000 10501->10504 10505 7fff2f38101e ExitProcess 10504->10505

                                                                    Executed Functions

                                                                    Function 00E00000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8 e00000-e00460 call e00aa8 * 2 VirtualAlloc 30 e00462-e00466 8->30 31 e0048a-e00494 8->31 32 e00468-e00488 30->32 34 e00a91-e00aa6 31->34 35 e0049a-e0049e 31->35 32->31 32->32 35->34 36 e004a4-e004a8 35->36 36->34 37 e004ae-e004b2 36->37 37->34 38 e004b8-e004bf 37->38 38->34 39 e004c5-e004d2 38->39 39->34 40 e004d8-e004e1 39->40 40->34 41 e004e7-e004f4 40->41 41->34 42 e004fa-e00507 41->42 43 e00531-e00567 GetNativeSystemInfo 42->43 44 e00509-e00511 42->44 43->34 46 e0056d-e00589 VirtualAlloc 43->46 45 e00513-e00518 44->45 49 e00521 45->49 50 e0051a-e0051f 45->50 47 e005a0-e005ac 46->47 48 e0058b-e0059e 46->48 51 e005af-e005b2 47->51 48->47 52 e00523-e0052f 49->52 50->52 54 e005c1-e005db 51->54 55 e005b4-e005bf 51->55 52->43 52->45 56 e0061b-e00622 54->56 57 e005dd-e005e2 54->57 55->51 59 e00628-e0062f 56->59 60 e006db-e006e2 56->60 58 e005e4-e005ea 57->58 61 e0060b-e00619 58->61 62 e005ec-e00609 58->62 59->60 63 e00635-e00642 59->63 64 e00864-e0086b 60->64 65 e006e8-e006f9 60->65 61->56 61->58 62->61 62->62 63->60 68 e00648-e0064f 63->68 66 e00871-e0087f 64->66 67 e00917-e00929 64->67 69 e00702-e00705 65->69 74 e0090e-e00911 66->74 72 e00a07-e00a1a 67->72 73 e0092f-e00937 67->73 75 e00654-e00658 68->75 70 e00707-e0070a 69->70 71 e006fb-e006ff 69->71 77 e00788-e0078e 70->77 78 e0070c-e0071d 70->78 71->69 92 e00a40-e00a4a 72->92 93 e00a1c-e00a27 72->93 80 e0093b-e0093f 73->80 74->67 79 e00884-e008a9 74->79 76 e006c0-e006ca 75->76 84 e0065a-e00669 76->84 85 e006cc-e006d2 76->85 81 e00794-e007a2 77->81 78->81 82 e0071f-e00720 78->82 100 e00907-e0090c 79->100 101 e008ab-e008b1 79->101 86 e00945-e0095a 80->86 87 e009ec-e009fa 80->87 94 e007a8 81->94 95 e0085d-e0085e 81->95 91 e00722-e00784 82->91 88 e0067a-e0067e 84->88 89 e0066b-e00678 84->89 85->75 96 e006d4-e006d5 85->96 98 e0097b-e0097d 86->98 99 e0095c-e0095e 86->99 87->80 90 e00a00-e00a01 87->90 105 e00680-e0068a 88->105 106 e0068c-e00690 88->106 104 e006bd-e006be 89->104 90->72 91->91 109 e00786 91->109 112 e00a7b-e00a8e 92->112 113 e00a4c-e00a54 92->113 110 e00a38-e00a3e 93->110 111 e007ae-e007d4 94->111 95->64 96->60 107 e009a2-e009a4 98->107 108 e0097f-e00981 98->108 102 e00960-e0096c 99->102 103 e0096e-e00979 99->103 100->74 122 e008b3-e008b9 101->122 123 e008bb-e008c8 101->123 114 e009be-e009bf 102->114 103->114 104->76 115 e006b6-e006ba 105->115 118 e00692-e006a3 106->118 119 e006a5-e006a9 106->119 120 e009a6-e009aa 107->120 121 e009ac-e009bb 107->121 116 e00983-e00987 108->116 117 e00989-e0098b 108->117 109->81 110->92 124 e00a29-e00a35 110->124 139 e00835-e00839 111->139 140 e007d6-e007d9 111->140 112->34 113->112 125 e00a56-e00a79 RtlAddFunctionTable 113->125 128 e009c5-e009cb 114->128 115->104 116->114 117->107 126 e0098d-e0098f 117->126 118->115 119->104 127 e006ab-e006b3 119->127 120->114 121->114 129 e008ea-e008fe 122->129 130 e008d3-e008e5 123->130 131 e008ca-e008d1 123->131 124->110 125->112 134 e00991-e00997 126->134 135 e00999-e009a0 126->135 127->115 136 e009d9-e009e9 VirtualProtect 128->136 137 e009cd-e009d3 128->137 129->100 147 e00900-e00905 129->147 130->129 131->130 131->131 134->114 135->128 136->87 137->136 141 e00844-e00850 139->141 142 e0083b 139->142 144 e007e3-e007f0 140->144 145 e007db-e007e1 140->145 141->111 146 e00856-e00857 141->146 142->141 149 e007f2-e007f9 144->149 150 e007fb-e0080d 144->150 148 e00812-e0082c 145->148 146->95 147->101 148->139 152 e0082e-e00833 148->152 149->149 149->150 150->148 152->140
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.385961759.0000000000E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_e00000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: ea2244953945569d3afa411ff2fba454dc4ae47dd9982f1336c970cb71230ecd
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 6772D530618B488FDB29DF18C8857B9B7E1FB98305F14562EE8CAD7251DB34D982CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 287 180007958-1800079e2 call 1800142a0 290 1800079e5-1800079eb 287->290 291 1800079f1 290->291 292 180007f68-180007f6e 290->292 295 180007eb7-180007f4d call 180021434 291->295 296 1800079f7-1800079fd 291->296 293 180008084-1800080f6 call 180021434 292->293 294 180007f74-180007f7a 292->294 309 1800080fb-180008101 293->309 297 180007fb4-180008075 call 18001e794 294->297 298 180007f7c-180007f82 294->298 310 180007f52-180007f58 295->310 299 180007d01-180007e4c call 180008738 296->299 300 180007a03-180007a09 296->300 319 18000807a-18000807f 297->319 303 180007f84-180007f8a 298->303 304 180007f9a-180007faf 298->304 299->319 327 180007e52-180007eaf call 18001d408 299->327 305 180007c76-180007cf7 call 180013e28 300->305 306 180007a0f-180007a15 300->306 314 18000811e-180008124 303->314 315 180007f90-180007f95 303->315 304->290 305->299 316 180007a1b-180007a21 306->316 317 180007b1d-180007c71 call 180018c60 call 180001b1c 306->317 320 180008103-180008108 309->320 321 18000810d 309->321 311 1800081dd-1800081fd 310->311 312 180007f5e 310->312 312->292 314->311 323 18000812a 314->323 315->290 325 180007a27-180007a2d 316->325 326 18000812f-1800081d8 call 180013e28 316->326 322 180008112-18000811b 317->322 329 180007b0c-180007b18 320->329 321->322 322->314 323->290 325->314 331 180007a33-180007af3 call 18002b4c4 325->331 326->311 327->295 329->290 338 180007af8-180007b06 331->338 338->329
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0n)G$9i&$IS_$c)K$oh$oh$J
                                                                    • API String ID: 0-4168131144
                                                                    • Opcode ID: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
                                                                    • Instruction ID: 1745985c1503e7a5a98bbeacef01b65c9f03634c62e3202666f04ad1fcc3199d
                                                                    • Opcode Fuzzy Hash: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
                                                                    • Instruction Fuzzy Hash: 69423870A0470CABCB58DF68C58AADEBBF1FB44304F40C169EC4AAB250D7759B19CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 389 180010ff4-180011016 390 180011020 389->390 391 180011022-180011028 390->391 392 180011814 391->392 393 18001102e-180011034 391->393 394 180011819-18001181f 392->394 395 1800114e2-1800114ec 393->395 396 18001103a-180011040 393->396 394->391 397 180011825-180011832 394->397 400 1800114f5-18001151d 395->400 401 1800114ee-1800114f3 395->401 398 1800113e2-1800114d2 call 180008200 396->398 399 180011046-18001104c 396->399 398->397 408 1800114d8-1800114dd 398->408 399->394 403 180011052-18001120b call 180021040 call 1800291ac 399->403 404 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 400->404 401->404 415 180011212-1800113d7 call 1800291ac call 18001e2bc 403->415 416 18001120d 403->416 419 1800117f9-180011803 404->419 408->391 415->397 424 1800113dd 415->424 416->415 419->397 421 180011805-18001180f 419->421 421->391 424->390
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 425 180021618-180021653 426 180021655-18002165a 425->426 427 180021bf3-180021c25 426->427 428 180021660-180021665 426->428 429 180021c2a-180021c2f 427->429 430 180021a81-180021bda call 180016314 428->430 431 18002166b-180021670 428->431 433 180021838-180021845 429->433 434 180021c35 429->434 438 180021bdf-180021bee 430->438 435 1800219f3-180021a7c call 180001b1c 431->435 436 180021676-18002167b 431->436 434->426 435->426 439 1800219e4-1800219ee 436->439 440 180021681-180021686 436->440 438->426 439->426 442 1800219d5-1800219df call 18001dfb4 440->442 443 18002168c-180021691 440->443 442->426 445 180021697-18002169c 443->445 446 18002190c-1800219a5 call 18000abac 443->446 447 1800216a2-1800216a7 445->447 448 180021846-180021907 call 180021434 445->448 453 1800219aa-1800219b0 446->453 447->429 451 1800216ad-180021835 call 180008200 call 1800166c0 447->451 448->426 451->433 456 1800219b2-1800219c6 453->456 457 1800219cb-1800219d0 453->457 456->426 457->426
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 490 180028c20-180028c53 491 180028c58-180028c5e 490->491 492 180028c64-180028c6a 491->492 493 1800290ae-180029147 call 180013e28 491->493 494 1800290a4-1800290a9 492->494 495 180028c70-180028c76 492->495 502 18002914c-180029152 493->502 494->491 497 180029003-18002909f call 180008ea0 495->497 498 180028c7c-180028c82 495->498 497->491 500 180028c88-180028c8e 498->500 501 180028fab-180028ffe call 1800223c4 498->501 505 180028c94-180028c9a 500->505 506 180028df6-180028e1e 500->506 501->491 507 180029154 502->507 508 18002919c-1800291a8 502->508 511 180028d62-180028ddb call 180016bd8 505->511 512 180028ca0-180028ca6 505->512 506->491 510 180028e24-180028e3c 506->510 507->491 514 180028e42-180028ee6 call 18001d49c 510->514 515 180028ee9-180028f0b 510->515 524 180028de0-180028de6 511->524 516 180028cac-180028cb2 512->516 517 180029159-180029197 call 1800164c8 512->517 514->515 520 180028f94-180028f95 515->520 521 180028f11-180028f92 call 18001d49c 515->521 516->502 522 180028cb8-180028d5d call 180010c00 516->522 517->508 527 180028f98-180028f9b 520->527 521->527 522->491 524->508 529 180028dec-180028df1 524->529 527->491 531 180028fa1-180028fa6 527->531 529->491 531->491
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :G$Q27$_5$yy8x$Mh
                                                                    • API String ID: 0-3587547327
                                                                    • Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
                                                                    • Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 533 18000c608-18000c62d 534 18000c632-18000c637 533->534 535 18000cc8a-18000cc8f 534->535 536 18000c63d 534->536 537 18000cc95-18000cc9a 535->537 538 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 535->538 539 18000c643-18000c648 536->539 540 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 536->540 542 18000ce33-18000ced7 call 180008ad8 call 18001c32c 537->542 543 18000cca0-18000cca5 537->543 575 18000cfb4-18000d00a call 1800194a4 538->575 544 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 539->544 545 18000c64e-18000c653 539->545 565 18000cc28-18000cc85 call 1800194a4 540->565 581 18000cedc-18000cf26 call 1800194a4 542->581 549 18000cd35-18000cdce call 18000703c call 18001c32c 543->549 550 18000ccab-18000ccb0 543->550 544->534 552 18000c9c1-18000caa0 call 18002870c call 18001c32c call 1800194a4 545->552 553 18000c659-18000c65e 545->553 586 18000cdd3-18000ce2e call 1800194a4 549->586 558 18000ccb6-18000cd30 call 180021434 550->558 559 18000d00f-18000d014 550->559 552->534 561 18000c664-18000c669 553->561 562 18000c8bb-18000c963 call 180002610 call 18001c32c 553->562 558->534 559->534 567 18000d01a-18000d020 559->567 571 18000c7b2-18000c85a call 180019618 call 18001c32c 561->571 572 18000c66f-18000c674 561->572 601 18000c968-18000c9bc call 1800194a4 562->601 565->534 604 18000c85f-18000c8b6 call 1800194a4 571->604 572->559 584 18000c67a-18000c73d call 180002178 call 18001c32c 572->584 575->559 581->534 607 18000c742-18000c7ad call 1800194a4 584->607 586->534 601->534 604->534 607->534
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %'#$'1O"
                                                                    • API String ID: 0-3508158491
                                                                    • Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                    • Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
                                                                    • Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                    • Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C3EEC Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
                                                                    • String ID:
                                                                    • API String ID: 994105223-0
                                                                    • Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                    • Instruction ID: 8e258c814166b63394638eee2ff03625dc54116ce92f30158460c15c377a6f36
                                                                    • Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                    • Instruction Fuzzy Hash: E7416F22F6E35681EA649B91ADC4079A7E5BF44BB0F154834DA4E2BBD4CE3CEC91C704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C2154 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 187 7fff2f3c2154-7fff2f3c2160 188 7fff2f3c2162-7fff2f3c216b call 7fff2f3c4110 187->188 189 7fff2f3c21e1-7fff2f3c21e3 187->189 194 7fff2f3c216d-7fff2f3c216f 188->194 198 7fff2f3c2174-7fff2f3c217b call 7fff2f3c2fa0 188->198 191 7fff2f3c221e-7fff2f3c2221 189->191 192 7fff2f3c21e5-7fff2f3c21ed 189->192 196 7fff2f3c2279-7fff2f3c227c 191->196 197 7fff2f3c2223-7fff2f3c2232 call 7fff2f3c2c88 call 7fff2f3c3108 191->197 192->194 195 7fff2f3c21f3-7fff2f3c2201 192->195 199 7fff2f3c228a-7fff2f3c228f 194->199 200 7fff2f3c2208-7fff2f3c220b 195->200 201 7fff2f3c2203 call 7fff2f3c36d0 195->201 202 7fff2f3c227e-7fff2f3c2280 call 7fff2f3c2f50 196->202 203 7fff2f3c2285 196->203 213 7fff2f3c2237-7fff2f3c223d 197->213 214 7fff2f3c217d-7fff2f3c2182 call 7fff2f3c415c 198->214 215 7fff2f3c2184-7fff2f3c21a9 call 7fff2f3c40a0 GetCommandLineA call 7fff2f3c3eec call 7fff2f3c3758 198->215 200->203 208 7fff2f3c220d-7fff2f3c221c call 7fff2f3c3a48 call 7fff2f3c2c94 call 7fff2f3c415c 200->208 201->200 202->203 203->199 208->203 213->194 217 7fff2f3c2243-7fff2f3c2257 FlsSetValue 213->217 214->194 236 7fff2f3c21ab-7fff2f3c21b0 call 7fff2f3c2c94 215->236 237 7fff2f3c21b2-7fff2f3c21b9 call 7fff2f3c3df4 215->237 221 7fff2f3c2259-7fff2f3c226d call 7fff2f3c2cbc GetCurrentThreadId 217->221 222 7fff2f3c226f-7fff2f3c2274 call 7fff2f3c3024 217->222 221->203 222->194 236->214 242 7fff2f3c21da-7fff2f3c21df call 7fff2f3c3a48 237->242 243 7fff2f3c21bb-7fff2f3c21c2 call 7fff2f3c3aec 237->243 242->236 243->242 248 7fff2f3c21c4-7fff2f3c21c6 call 7fff2f3c347c 243->248 250 7fff2f3c21cb-7fff2f3c21cd 248->250 250->242 251 7fff2f3c21cf-7fff2f3c21d5 250->251 251->203
                                                                    APIs
                                                                      • Part of subcall function 00007FFF2F3C4110: HeapCreate.KERNELBASE(?,?,?,?,00007FFF2F3C2169), ref: 00007FFF2F3C4122
                                                                      • Part of subcall function 00007FFF2F3C4110: HeapSetInformation.KERNEL32 ref: 00007FFF2F3C414C
                                                                    • _RTC_Initialize.LIBCMT ref: 00007FFF2F3C2184
                                                                    • GetCommandLineA.KERNEL32 ref: 00007FFF2F3C2189
                                                                      • Part of subcall function 00007FFF2F3C3EEC: GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FFF2F3C219B), ref: 00007FFF2F3C3F1B
                                                                      • Part of subcall function 00007FFF2F3C3EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF2F3C219B), ref: 00007FFF2F3C3F5B
                                                                      • Part of subcall function 00007FFF2F3C3758: GetStartupInfoA.KERNEL32 ref: 00007FFF2F3C377D
                                                                    • __setargv.LIBCMT ref: 00007FFF2F3C21B2
                                                                    • _cinit.LIBCMT ref: 00007FFF2F3C21C6
                                                                      • Part of subcall function 00007FFF2F3C2C94: FlsFree.KERNEL32(?,?,?,?,00007FFF2F3C2217), ref: 00007FFF2F3C2CA3
                                                                      • Part of subcall function 00007FFF2F3C2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3C2217), ref: 00007FFF2F3C6A32
                                                                      • Part of subcall function 00007FFF2F3C2C94: free.LIBCMT ref: 00007FFF2F3C6A3B
                                                                      • Part of subcall function 00007FFF2F3C2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3C2217), ref: 00007FFF2F3C6A5B
                                                                      • Part of subcall function 00007FFF2F3C3108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F3C2DA3,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C314D
                                                                    • FlsSetValue.KERNEL32 ref: 00007FFF2F3C224C
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FFF2F3C2260
                                                                    • free.LIBCMT ref: 00007FFF2F3C226F
                                                                      • Part of subcall function 00007FFF2F3C3024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C303A
                                                                      • Part of subcall function 00007FFF2F3C3024: _errno.LIBCMT ref: 00007FFF2F3C3044
                                                                      • Part of subcall function 00007FFF2F3C3024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C304C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
                                                                    • String ID:
                                                                    • API String ID: 1549890855-0
                                                                    • Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                    • Instruction ID: e3b109fff75f84f7f5f27a4823947e65f27f1ac568caa79a86e85ddc53eed247
                                                                    • Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                    • Instruction Fuzzy Hash: 2C31BD21F3E20385FAA867A19DC22B921D5AF55F74F108134DA1EBD2C2EE2DFC408212
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C4CD4 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _getptd.LIBCMT ref: 00007FFF2F3C4CF3
                                                                      • Part of subcall function 00007FFF2F3C497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFF2F3C4D0E,?,?,?,?,?,00007FFF2F3C4EE3), ref: 00007FFF2F3C49A6
                                                                      • Part of subcall function 00007FFF2F3C309C: Sleep.KERNEL32(?,?,00000000,00007FFF2F3C6B19,?,?,00000000,00007FFF2F3C6BC3,?,?,?,?,?,?,00000000,00007FFF2F3C2DC8), ref: 00007FFF2F3C30D2
                                                                    • free.LIBCMT ref: 00007FFF2F3C4D7F
                                                                      • Part of subcall function 00007FFF2F3C3024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C303A
                                                                      • Part of subcall function 00007FFF2F3C3024: _errno.LIBCMT ref: 00007FFF2F3C3044
                                                                      • Part of subcall function 00007FFF2F3C3024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C304C
                                                                    • _lock.LIBCMT ref: 00007FFF2F3C4DB7
                                                                    • free.LIBCMT ref: 00007FFF2F3C4E67
                                                                    • free.LIBCMT ref: 00007FFF2F3C4E97
                                                                    • _errno.LIBCMT ref: 00007FFF2F3C4E9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
                                                                    • String ID:
                                                                    • API String ID: 1264244385-0
                                                                    • Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                    • Instruction ID: 9a93cde7a7048e275dae5730180a5ce366f6cb8ea2cfe03a5f4d5bd680b24a3f
                                                                    • Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                    • Instruction Fuzzy Hash: 9651AD22B2964286E7509BA5ED80279B7E1FB84B74F154236DA5E6B3E5CF3CEC01C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C6C34 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 502529563-0
                                                                    • Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                    • Instruction ID: bb2490a4941f5f7b2be5b6fb457e6c25830baa2a7b29bab2960a0e6198332ea2
                                                                    • Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                    • Instruction Fuzzy Hash: B5113715B2A64645FA546BA1ECD127D36D0DF84BB0F048530EA1D6F7C2CE3CEC508B11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C1EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateBoundaryDeleteDescriptorHeap
                                                                    • String ID: vb4vcW2kAW3Twaz?30
                                                                    • API String ID: 254689257-4179232793
                                                                    • Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                    • Instruction ID: 6a8324f848ac208f58ce994575db75d06ea2df3b2bf7c56dc35969957ea37874
                                                                    • Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                    • Instruction Fuzzy Hash: 2421273261CE8686E3308B54E8943AA77E5FB88758F404535C68D9B7A5CF7DD901DB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C2FA0 Relevance: 4.5, APIs: 3, Instructions: 35memorythreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00007FFF2F3C36F0: _initp_misc_winsig.LIBCMT ref: 00007FFF2F3C3729
                                                                      • Part of subcall function 00007FFF2F3C36F0: EncodePointer.KERNEL32(?,?,?,00007FFF2F3C2FAB,?,?,?,00007FFF2F3C2179), ref: 00007FFF2F3C3745
                                                                    • FlsAlloc.KERNEL32(?,?,?,00007FFF2F3C2179), ref: 00007FFF2F3C2FBB
                                                                      • Part of subcall function 00007FFF2F3C3108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F3C2DA3,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C314D
                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FFF2F3C2179), ref: 00007FFF2F3C2FEC
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FFF2F3C3000
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
                                                                    • String ID:
                                                                    • API String ID: 54287522-0
                                                                    • Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                    • Instruction ID: edd112bacaf75c9a000bda13d18f56d126621ff7bfabaf85c0acccd4b1505c2c
                                                                    • Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                    • Instruction Fuzzy Hash: 59014B21F2A60381FB14ABB19CC527872E16F04B30F044234D53EAE2E1EE2DEC859624
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID: :}
                                                                    • API String ID: 963392458-2902022129
                                                                    • Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                    • Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
                                                                    • Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                    • Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C2050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID: JKvDDasqwOPvGXZdqW
                                                                    • API String ID: 621844428-4059861069
                                                                    • Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                    • Instruction ID: d05487e088ba20cf39538214f29fb1d99845232f5b6c106d3cfcd87970bdf911
                                                                    • Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                    • Instruction Fuzzy Hash: D3D0C721B28B8181D620A790FC4535A63E4FB89364FC00130D5CC5A754DF7CD555C704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C6CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _errno.LIBCMT ref: 00007FFF2F3C6D0F
                                                                      • Part of subcall function 00007FFF2F3C66D8: DecodePointer.KERNEL32 ref: 00007FFF2F3C66FF
                                                                    • RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FFF2F3C313B,?,?,0000000A,00007FFF2F3C2DA3,?,?,?,00007FFF2F3C2DFF), ref: 00007FFF2F3C6D58
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateDecodeHeapPointer_errno
                                                                    • String ID:
                                                                    • API String ID: 15861996-0
                                                                    • Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                    • Instruction ID: 283e62359e06cb34204f7dee949bf9ee72548050a84e36536810c253ffb7017b
                                                                    • Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                    • Instruction Fuzzy Hash: 1511E722B2E24646FB145B65EE8837962E19F807F4F088A34CE1D1F6C4DE7CAC008A10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C36F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _initp_misc_winsig.LIBCMT ref: 00007FFF2F3C3729
                                                                      • Part of subcall function 00007FFF2F3C755C: EncodePointer.KERNEL32(?,?,?,?,00007FFF2F3C373E,?,?,?,00007FFF2F3C2FAB,?,?,?,00007FFF2F3C2179), ref: 00007FFF2F3C7567
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF2F3C2FAB,?,?,?,00007FFF2F3C2179), ref: 00007FFF2F3C3745
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer$_initp_misc_winsig
                                                                    • String ID:
                                                                    • API String ID: 190222155-0
                                                                    • Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                    • Instruction ID: ecc176de3f22392fb443ea9d7cdefca409092db9753ac2678d48c3476a9a30ad
                                                                    • Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                    • Instruction Fuzzy Hash: 7FF02B10FAA24B45E919BB626CE20B822C01F96BA0F982070ED1E2E3D3DD2CED559744
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C4110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$CreateInformation
                                                                    • String ID:
                                                                    • API String ID: 1774340351-0
                                                                    • Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                    • Instruction ID: 10cb194780791f320e9828eadc4591bc011a59a25f23b1a0755a73405473eb18
                                                                    • Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                    • Instruction Fuzzy Hash: 4DE04F75F3678182E7989BA1EC8976962A0FB88750F809439EA4D527D4DF3CD4458A00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C73F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF2F3C34AF,?,?,?,00007FFF2F3C21CB), ref: 00007FFF2F3C740D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                    • Instruction ID: adbb7345133a7d13c23c97ee075116b5dc33bc2145c54bafb342f778c8aa76b7
                                                                    • Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                    • Instruction Fuzzy Hash: 84D05E32F68A8582EB109B61F9D026C33E4FB84BA4F58C031DA5C0B689DE3CCC96C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C3108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(?,?,0000000A,00007FFF2F3C2DA3,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C314D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep_errno
                                                                    • String ID:
                                                                    • API String ID: 1068366078-0
                                                                    • Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                    • Instruction ID: e4e3ef930a685b178184f35f21757797fe749a068a3b127d7ea49ffc19ac586d
                                                                    • Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                    • Instruction Fuzzy Hash: B801A222B35B8586EA449B569C80029B6E1FB88FE0F480131DE5D1BB90CF38EC51C704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FFF2F3C6C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF2F3C6C64
                                                                      • Part of subcall function 00007FFF2F3C6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF2F3C30C0,?,?,00000000,00007FFF2F3C6B19,?,?,00000000,00007FFF2F3C6BC3), ref: 00007FFF2F3C6C89
                                                                      • Part of subcall function 00007FFF2F3C6C34: _errno.LIBCMT ref: 00007FFF2F3C6CAD
                                                                      • Part of subcall function 00007FFF2F3C6C34: _errno.LIBCMT ref: 00007FFF2F3C6CB8
                                                                    • Sleep.KERNEL32(?,?,00000000,00007FFF2F3C6B19,?,?,00000000,00007FFF2F3C6BC3,?,?,?,?,?,?,00000000,00007FFF2F3C2DC8), ref: 00007FFF2F3C30D2
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$AllocateHeapSleep
                                                                    • String ID:
                                                                    • API String ID: 4153772858-0
                                                                    • Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                    • Instruction ID: 1c6bfb310415f815a2cce9d1a71d1bf734d07a4080e1978a671118169294b100
                                                                    • Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                    • Instruction Fuzzy Hash: D8F0FC32B2978982EA509F55AC8007D72E1FB84BA0F454134EA5D1B7D5DF3CEC91C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00007FFF2F3C895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: String$free$ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1446610345-0
                                                                    • Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                    • Instruction ID: 81f425d092e066e000fb0ef12e818c090dd10d459976b57f54e2e7acef45c4fe
                                                                    • Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                    • Instruction Fuzzy Hash: 63F1C332B1A6818AE7608F25DC809A977D1FB447B8F548235EA5D6BBD4DF3CEE418700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C7BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
                                                                    • String ID: ADVAPI32.DLL$SystemFunction036
                                                                    • API String ID: 1558914745-1064046199
                                                                    • Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                    • Instruction ID: 686afe100602157d7d5c59eb41d887a159e4b16be54c6f496f0cb1e60d27ec0e
                                                                    • Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                    • Instruction Fuzzy Hash: 9F315E21B2A65786FB10ABA5ACD527D22D0AF84BA0F548434EF0D6F7D6DE3CEC058600
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
                                                                    • String ID: Norwegian-Nynorsk
                                                                    • API String ID: 2273835618-461349085
                                                                    • Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                    • Instruction ID: 9e0f243e3ae50de58db4d62f2cca5128f036c2beb2614b9fe54c8df1cbb99a4b
                                                                    • Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                    • Instruction Fuzzy Hash: F4615C76B2A69286FB659F61D8843B923E0AB44BA4F084135DE4D6B6E4DF3CED40C314
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CB5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: FormatTime$__ascii_stricmpfree
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 2252689280-3206640213
                                                                    • Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                    • Instruction ID: 8b69db989f87249ad1fe215ac6fe14c158b51c74d1d87ff0bc373b940bb4cfbf
                                                                    • Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                    • Instruction Fuzzy Hash: 0FF1DF26B3E69285E7748F2588D01FC67E1FB047A4F449132EA8E6BAC5DE3DAC54C301
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C6F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF2F3C7194,?,?,?,?,00007FFF2F3C6C69,?,?,00000000,00007FFF2F3C30C0), ref: 00007FFF2F3C6FCF
                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,00007FFF2F3C7194,?,?,?,?,00007FFF2F3C6C69,?,?,00000000,00007FFF2F3C30C0), ref: 00007FFF2F3C70DB
                                                                    • WriteFile.KERNEL32 ref: 00007FFF2F3C7115
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: File$HandleModuleNameWrite
                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                    • API String ID: 3784150691-4022980321
                                                                    • Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                    • Instruction ID: 79e3c900bd881faa88345265cb34218f166efd4acc0f510b92020b31916ae5cb
                                                                    • Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                    • Instruction Fuzzy Hash: F251B121B3A64741FB24DBA5ADE57BA22D1BF847B4F404136DD0DAEAD6CF3CE9058600
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C20E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 3778485334-0
                                                                    • Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                    • Instruction ID: 9f99653b28a14c6737e183390756eab2ca22da78cae42ce3f6435531083db92b
                                                                    • Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                    • Instruction Fuzzy Hash: ED310631A28B4686EB109BD0FC8036973E4FB84764F504136DA8D6A7E5DF7CE859C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CE6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lock.LIBCMT ref: 00007FFF2F3CE6EB
                                                                    • free.LIBCMT ref: 00007FFF2F3CE7E2
                                                                      • Part of subcall function 00007FFF2F3C3024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C303A
                                                                      • Part of subcall function 00007FFF2F3C3024: _errno.LIBCMT ref: 00007FFF2F3C3044
                                                                      • Part of subcall function 00007FFF2F3C3024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C304C
                                                                    • ___lc_codepage_func.LIBCMT ref: 00007FFF2F3CE76B
                                                                      • Part of subcall function 00007FFF2F3C6550: RtlCaptureContext.KERNEL32 ref: 00007FFF2F3C658F
                                                                      • Part of subcall function 00007FFF2F3C6550: IsDebuggerPresent.KERNEL32 ref: 00007FFF2F3C662D
                                                                      • Part of subcall function 00007FFF2F3C6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3C6637
                                                                      • Part of subcall function 00007FFF2F3C6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3C6642
                                                                      • Part of subcall function 00007FFF2F3C6550: GetCurrentProcess.KERNEL32 ref: 00007FFF2F3C6658
                                                                      • Part of subcall function 00007FFF2F3C6550: TerminateProcess.KERNEL32 ref: 00007FFF2F3C6666
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
                                                                    • String ID:
                                                                    • API String ID: 178205154-0
                                                                    • Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                    • Instruction ID: 511e864bf0ccfc7d517240a4cc7bdfb75ad8fde439ef43822147becb5d6be67b
                                                                    • Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                    • Instruction Fuzzy Hash: CFD19032B2928289E7609F65DCD067976D6BB85760F404135DA8E7B7D6CF3CEC918B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CDF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F3CE1C2), ref: 00007FFF2F3CDFF2
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F3CE1C2), ref: 00007FFF2F3CE004
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F3CE1C2), ref: 00007FFF2F3CE04F
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F3CE1C2), ref: 00007FFF2F3CE0E1
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F3CE1C2), ref: 00007FFF2F3CE11B
                                                                    • free.LIBCMT ref: 00007FFF2F3CE12F
                                                                      • Part of subcall function 00007FFF2F3C6C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF2F3C6C64
                                                                      • Part of subcall function 00007FFF2F3C6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF2F3C30C0,?,?,00000000,00007FFF2F3C6B19,?,?,00000000,00007FFF2F3C6BC3), ref: 00007FFF2F3C6C89
                                                                      • Part of subcall function 00007FFF2F3C6C34: _errno.LIBCMT ref: 00007FFF2F3C6CAD
                                                                      • Part of subcall function 00007FFF2F3C6C34: _errno.LIBCMT ref: 00007FFF2F3C6CB8
                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F3CE1C2), ref: 00007FFF2F3CE145
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
                                                                    • String ID:
                                                                    • API String ID: 2309262205-0
                                                                    • Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                    • Instruction ID: 0ae3e2608227ccde167ded2884b52fd3a2665bd33be41dbc12bd58f301dc72d6
                                                                    • Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                    • Instruction Fuzzy Hash: 0D51AF32B296A286E7609FA1DC8056973D2BB44BB4F544635DA1E2BBD4CE3CED90C340
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CFCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointer_lock
                                                                    • String ID:
                                                                    • API String ID: 2175075375-0
                                                                    • Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                    • Instruction ID: efdc7f85be615a74112162fd69cd14a7ad373d99bb2d5f1e03d0325575697e48
                                                                    • Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                    • Instruction Fuzzy Hash: 71318322B2A75242FB15AA71989977E61D1AF84790F048534DF4C6FBCADF3CDC118760
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C6550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                                    • String ID:
                                                                    • API String ID: 1269745586-0
                                                                    • Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                    • Instruction ID: 3418506ff118f9b0e81a35ebf29c94c073f0027e04be6c455b31a5bb53f56f8a
                                                                    • Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                    • Instruction Fuzzy Hash: 0B313E7261DB8282DA249B94E8803AEB3E0FB88755F500135DACD57B99DF3CD549CF00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                    • Instruction ID: ec7d8d89d38307d3c3ea573228e965ae44100673f7d3f4f0ccb4d5ebb474b4e6
                                                                    • Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                    • Instruction Fuzzy Hash: 6F214F31B2968381FA649BA1ED902B963E0BF44BE4F454131DA4D6B6E5EF2CED45C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1h$I-$IY$QL&$li7$o
                                                                    • API String ID: 0-890095520
                                                                    • Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                    • Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
                                                                    • Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                    • Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1$ {,$"$$-%$Rku$ i
                                                                    • API String ID: 0-1845893065
                                                                    • Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                    • Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
                                                                    • Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                    • Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: VUS/$YV~$p$@$EX$OX
                                                                    • API String ID: 0-2743166816
                                                                    • Opcode ID: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
                                                                    • Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
                                                                    • Opcode Fuzzy Hash: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
                                                                    • Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C4558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                    • String ID:
                                                                    • API String ID: 1445889803-0
                                                                    • Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                    • Instruction ID: 87065c4f6412987bd338bae383110d3f6a05cd8273704c81fd3667587104e39f
                                                                    • Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                    • Instruction Fuzzy Hash: 88016121B3DE0681EB408FA1FD8026563A4FB49BA1F44A530DE5E5B7E4DE3CDC958700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale$_getptd
                                                                    • String ID:
                                                                    • API String ID: 1743167714-0
                                                                    • Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                    • Instruction ID: 4551b29144a0d27619f96fe91e78ad6975ba471072294a193862f5bb30fb1235
                                                                    • Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                    • Instruction Fuzzy Hash: C9618072B299C697DA699A61DD843E9B3D1FB88355F044136C75DAB2E0CF3CE8648700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >97"$?$LsRW$~x
                                                                    • API String ID: 0-2554301858
                                                                    • Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
                                                                    • Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CAF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$__tzset
                                                                    • String ID:
                                                                    • API String ID: 3587134695-0
                                                                    • Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                    • Instruction ID: bf6a3616379a911431315508c8e4764b8dede77e816e5dba49971175951a0251
                                                                    • Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                    • Instruction Fuzzy Hash: F2027232B2E692C7E7688F2998D01BD37E1BB44751F25403AD74E6A6D1CF39ED488701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CFB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointer_lock
                                                                    • String ID:
                                                                    • API String ID: 2175075375-0
                                                                    • Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                    • Instruction ID: 2256d4613000201b715a35e2b2e8044ce9ec57d112017a178e4090c36e1e432b
                                                                    • Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                    • Instruction Fuzzy Hash: E5318221B2E75342FB659A71ADA537A61C19F543A4F148435DF4DAEAC6DF2CEC008620
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CD318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlCaptureContext.KERNEL32 ref: 00007FFF2F3CD357
                                                                    • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3CD39D
                                                                    • UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3CD3A8
                                                                      • Part of subcall function 00007FFF2F3C6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF2F3C7194,?,?,?,?,00007FFF2F3C6C69,?,?,00000000,00007FFF2F3C30C0), ref: 00007FFF2F3C6FCF
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                                                                    • String ID:
                                                                    • API String ID: 2731829486-0
                                                                    • Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                    • Instruction ID: e2f54e77353c2b1629be1c975ace7cd4384e857b8dacb0a4fb79d516c70bb7a5
                                                                    • Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                    • Instruction Fuzzy Hash: 6A115125739A4682E7249B90EC943BA63D1FF85324F440139E98E1ABD6DF3DE805CF01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *4$5F$S^r
                                                                    • API String ID: 0-3556444313
                                                                    • Opcode ID: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
                                                                    • Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
                                                                    • Opcode Fuzzy Hash: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
                                                                    • Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: &lz2$'~W$<x<
                                                                    • API String ID: 0-2268522332
                                                                    • Opcode ID: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
                                                                    • Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
                                                                    • Opcode Fuzzy Hash: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
                                                                    • Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$T]0$ba^2
                                                                    • API String ID: 0-1276948933
                                                                    • Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                    • Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
                                                                    • Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                    • Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6w5*$EDO$V
                                                                    • API String ID: 0-1640223502
                                                                    • Opcode ID: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
                                                                    • Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
                                                                    • Opcode Fuzzy Hash: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
                                                                    • Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Y()$i_"o$|Y
                                                                    • API String ID: 0-942011364
                                                                    • Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                    • Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
                                                                    • Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                    • Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: O)$,G$-
                                                                    • API String ID: 0-23008916
                                                                    • Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                    • Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
                                                                    • Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                    • Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;U[$L$Q#
                                                                    • API String ID: 0-2933747092
                                                                    • Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                    • Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
                                                                    • Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                    • Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5($<:*$qwX
                                                                    • API String ID: 0-3944236288
                                                                    • Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                    • Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
                                                                    • Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                    • Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 79&$s`~$v;
                                                                    • API String ID: 0-3844292866
                                                                    • Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                    • Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
                                                                    • Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                    • Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: wQ_$1_$ac
                                                                    • API String ID: 0-1037425278
                                                                    • Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                    • Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
                                                                    • Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                    • Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )K$U|$|1-
                                                                    • API String ID: 0-2543966960
                                                                    • Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                    • Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
                                                                    • Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                    • Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6|$6`d$H~z
                                                                    • API String ID: 0-1702722476
                                                                    • Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                    • Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
                                                                    • Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                    • Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d~$`5$t>
                                                                    • API String ID: 0-1282322184
                                                                    • Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                    • Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
                                                                    • Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                    • Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #St$JYr$hmn
                                                                    • API String ID: 0-1556749129
                                                                    • Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                    • Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
                                                                    • Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                    • Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TGA$K$W}
                                                                    • API String ID: 0-588348707
                                                                    • Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                    • Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
                                                                    • Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                    • Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :1,$@H${C=
                                                                    • API String ID: 0-2737386091
                                                                    • Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                    • Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
                                                                    • Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                    • Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: prP$q<C$uL
                                                                    • API String ID: 0-1414207395
                                                                    • Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                    • Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
                                                                    • Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                    • Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :00D$Kl$(R'
                                                                    • API String ID: 0-3661897330
                                                                    • Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                    • Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
                                                                    • Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                    • Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C5944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _getptd.LIBCMT ref: 00007FFF2F3C597E
                                                                      • Part of subcall function 00007FFF2F3C6550: RtlCaptureContext.KERNEL32 ref: 00007FFF2F3C658F
                                                                      • Part of subcall function 00007FFF2F3C6550: IsDebuggerPresent.KERNEL32 ref: 00007FFF2F3C662D
                                                                      • Part of subcall function 00007FFF2F3C6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3C6637
                                                                      • Part of subcall function 00007FFF2F3C6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3C6642
                                                                      • Part of subcall function 00007FFF2F3C6550: GetCurrentProcess.KERNEL32 ref: 00007FFF2F3C6658
                                                                      • Part of subcall function 00007FFF2F3C6550: TerminateProcess.KERNEL32 ref: 00007FFF2F3C6666
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                    • String ID: C
                                                                    • API String ID: 1583075380-1037565863
                                                                    • Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                    • Instruction ID: e3fea94212c401bac8529a2a200342ab93a58e413567bc9858f33ddaf3993bb0
                                                                    • Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                    • Instruction Fuzzy Hash: 4A518667B2A68241EAA09B229D917BB56D0FF84BA4F448031EE4D6F7C5DE3DD815C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                    • Instruction ID: 6c16c00b0d1a22cce55d63e6e61ddc42f7db8f3f392808751257d0ec8f2a6d0d
                                                                    • Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                    • Instruction Fuzzy Hash: 3B216D32B196C28AEB689B66DD853E973E0FB88795F004135C71D9B6D5DF3CE8648700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                    • Instruction ID: da2dec5ba456e5a5a8e96b7d05e14bf5f9c3b32c8a46fe9cae5c4fd83de1b590
                                                                    • Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                    • Instruction Fuzzy Hash: 83219232B196C196DB28CB60E8857E973E0FB88B90F444135DA5D9B794DF3CE954C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$Y}
                                                                    • API String ID: 0-941771097
                                                                    • Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                    • Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
                                                                    • Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                    • Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 7;}~$?C
                                                                    • API String ID: 0-2633536567
                                                                    • Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                    • Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
                                                                    • Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                    • Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5"*$Wu
                                                                    • API String ID: 0-3407213400
                                                                    • Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                    • Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
                                                                    • Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                    • Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: F/|$]M
                                                                    • API String ID: 0-4182351379
                                                                    • Opcode ID: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
                                                                    • Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
                                                                    • Opcode Fuzzy Hash: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
                                                                    • Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;SH$nK
                                                                    • API String ID: 0-1681473137
                                                                    • Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                    • Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
                                                                    • Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                    • Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$z
                                                                    • API String ID: 0-3532108746
                                                                    • Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                    • Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
                                                                    • Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                    • Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g/?$~l;
                                                                    • API String ID: 0-1448562259
                                                                    • Opcode ID: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
                                                                    • Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
                                                                    • Opcode Fuzzy Hash: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
                                                                    • Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JM$S
                                                                    • API String ID: 0-422059844
                                                                    • Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                    • Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
                                                                    • Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                    • Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \4t$sT>
                                                                    • API String ID: 0-514966222
                                                                    • Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                    • Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
                                                                    • Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                    • Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6 zT$lh
                                                                    • API String ID: 0-3667112246
                                                                    • Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                    • Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
                                                                    • Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                    • Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2Q'$t<p
                                                                    • API String ID: 0-2959822804
                                                                    • Opcode ID: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
                                                                    • Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
                                                                    • Opcode Fuzzy Hash: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
                                                                    • Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 95s$\`s
                                                                    • API String ID: 0-3495284040
                                                                    • Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                    • Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
                                                                    • Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                    • Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3*$qMu
                                                                    • API String ID: 0-4093015089
                                                                    • Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                    • Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
                                                                    • Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                    • Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$"n&E
                                                                    • API String ID: 0-1188898577
                                                                    • Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                    • Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
                                                                    • Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                    • Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Bw~$fy
                                                                    • API String ID: 0-1663007907
                                                                    • Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                    • Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
                                                                    • Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                    • Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: /0$XyLe
                                                                    • API String ID: 0-3562702181
                                                                    • Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                    • Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
                                                                    • Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                    • Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >I$>I
                                                                    • API String ID: 0-3948471910
                                                                    • Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                    • Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
                                                                    • Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                    • Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {H2}$}i#c
                                                                    • API String ID: 0-1724349491
                                                                    • Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                    • Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
                                                                    • Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                    • Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4V$so
                                                                    • API String ID: 0-1060102820
                                                                    • Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                    • Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
                                                                    • Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                    • Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: F+'$O$
                                                                    • API String ID: 0-4064122715
                                                                    • Opcode ID: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
                                                                    • Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
                                                                    • Opcode Fuzzy Hash: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
                                                                    • Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1$bO6
                                                                    • API String ID: 0-3242911120
                                                                    • Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                    • Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
                                                                    • Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                    • Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )j-J$\rba
                                                                    • API String ID: 0-105394296
                                                                    • Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                    • Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
                                                                    • Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                    • Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5T$7c
                                                                    • API String ID: 0-2666566123
                                                                    • Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                    • Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
                                                                    • Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                    • Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ",)x$PX
                                                                    • API String ID: 0-926260526
                                                                    • Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                    • Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
                                                                    • Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                    • Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                    • Instruction ID: e3ec326f0630ef1350c545a80c3cb45a7530ae1187dfbdb83de33a5207b108da
                                                                    • Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                    • Instruction Fuzzy Hash: C3119432B295C245EB715A65ECD17B922D0AB847E8F448031DA8DAE2D1CE2CED468700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                    • Instruction ID: 64e1b52fa12a85598e6e120c48ad780ba517dab1b2f611cd3e5ac5ae10675fd0
                                                                    • Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                    • Instruction Fuzzy Hash: A6117C72B297458BFB188B31C89537A36E0FB94B69F044435C60D6A2E6CF7CD9958780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFF2F3C5A8C), ref: 00007FFF2F3CC8FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                    • Instruction ID: 668674bb72ca337487d74eda1d21c2220e898fb365131eef838bd187e46dfafe
                                                                    • Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                    • Instruction Fuzzy Hash: 01F0C872F2954686F7588B31C8953FA23D1EB94B94F188031C64D5A2E6CF7DDD918241
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CDF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                    • Instruction ID: f9bac1cae668fd7a1a55d25017bf841a9f2bfcbac159ba3cf8ce903da9dda7e2
                                                                    • Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                    • Instruction Fuzzy Hash: C0F05E22B186C083D7118B1AF44455AE7A1FBC4BF4F584221EAAE1BB99CE6CC956CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CE1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                    • Instruction ID: e974c37e439282805335ba18e378b97070d56c7c3239763487a7531e04ba3353
                                                                    • Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                    • Instruction Fuzzy Hash: D6E09B21B2C58181F730E750EC813AA27D0FF98778F800231D69D6E6E5DE2CEA55CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CC7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                    • Instruction ID: c43f79e611f874d942c47ea506a1bfc28bf090049fb3106045109f3d5e0679a6
                                                                    • Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                    • Instruction Fuzzy Hash: BEE08677F1564542EB488B71D88437422D1EF94B59F088031CA0D152E5CF7CDA96C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: cYte
                                                                    • API String ID: 0-489798635
                                                                    • Opcode ID: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
                                                                    • Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
                                                                    • Opcode Fuzzy Hash: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
                                                                    • Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Pc
                                                                    • API String ID: 0-2609325410
                                                                    • Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                    • Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
                                                                    • Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                    • Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: xDC
                                                                    • API String ID: 0-90241050
                                                                    • Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
                                                                    • Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g >
                                                                    • API String ID: 0-3862707646
                                                                    • Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                    • Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
                                                                    • Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                    • Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2
                                                                    • API String ID: 0-2012265552
                                                                    • Opcode ID: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
                                                                    • Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
                                                                    • Opcode Fuzzy Hash: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
                                                                    • Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Wcl
                                                                    • API String ID: 0-2623992880
                                                                    • Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                    • Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
                                                                    • Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                    • Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ws8
                                                                    • API String ID: 0-2196714860
                                                                    • Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                    • Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
                                                                    • Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                    • Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: p/g
                                                                    • API String ID: 0-1786412500
                                                                    • Opcode ID: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
                                                                    • Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
                                                                    • Opcode Fuzzy Hash: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
                                                                    • Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %
                                                                    • API String ID: 0-3714942587
                                                                    • Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                    • Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
                                                                    • Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                    • Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: A.}
                                                                    • API String ID: 0-2880059976
                                                                    • Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                    • Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
                                                                    • Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                    • Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0#
                                                                    • API String ID: 0-456275806
                                                                    • Opcode ID: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
                                                                    • Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
                                                                    • Opcode Fuzzy Hash: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
                                                                    • Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: n)
                                                                    • API String ID: 0-1227437150
                                                                    • Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                    • Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
                                                                    • Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                    • Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: H&0
                                                                    • API String ID: 0-1691334370
                                                                    • Opcode ID: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
                                                                    • Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
                                                                    • Opcode Fuzzy Hash: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
                                                                    • Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <+o
                                                                    • API String ID: 0-2035106886
                                                                    • Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                    • Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
                                                                    • Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                    • Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2d
                                                                    • API String ID: 0-3866551247
                                                                    • Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                    • Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
                                                                    • Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                    • Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ZF{;
                                                                    • API String ID: 0-2351138993
                                                                    • Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                    • Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
                                                                    • Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                    • Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o^
                                                                    • API String ID: 0-3380573087
                                                                    • Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                    • Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
                                                                    • Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                    • Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8N
                                                                    • API String ID: 0-1657423088
                                                                    • Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                    • Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
                                                                    • Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                    • Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: J3n
                                                                    • API String ID: 0-3694000235
                                                                    • Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                    • Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
                                                                    • Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                    • Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c&A
                                                                    • API String ID: 0-649646960
                                                                    • Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                    • Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
                                                                    • Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                    • Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (3
                                                                    • API String ID: 0-2570504824
                                                                    • Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                    • Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
                                                                    • Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                    • Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: [r\^
                                                                    • API String ID: 0-4041245994
                                                                    • Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                    • Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
                                                                    • Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                    • Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X
                                                                    • API String ID: 0-1684620495
                                                                    • Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                    • Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
                                                                    • Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                    • Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: [[x
                                                                    • API String ID: 0-2553898450
                                                                    • Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                    • Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
                                                                    • Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                    • Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g\&
                                                                    • API String ID: 0-1994035986
                                                                    • Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                    • Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
                                                                    • Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                    • Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X
                                                                    • API String ID: 0-1684620495
                                                                    • Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                    • Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
                                                                    • Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                    • Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GfMu
                                                                    • API String ID: 0-241548529
                                                                    • Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                    • Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
                                                                    • Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                    • Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: k|
                                                                    • API String ID: 0-998972391
                                                                    • Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                    • Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
                                                                    • Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                    • Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: wz_
                                                                    • API String ID: 0-2163964638
                                                                    • Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                    • Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
                                                                    • Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                    • Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {?Q
                                                                    • API String ID: 0-927583641
                                                                    • Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                    • Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
                                                                    • Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                    • Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: |}6\
                                                                    • API String ID: 0-3074799505
                                                                    • Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                    • Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
                                                                    • Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                    • Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3&a
                                                                    • API String ID: 0-537350193
                                                                    • Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                    • Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
                                                                    • Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                    • Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o0:X
                                                                    • API String ID: 0-645126758
                                                                    • Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                    • Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
                                                                    • Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                    • Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: D4}
                                                                    • API String ID: 0-491520632
                                                                    • Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                    • Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
                                                                    • Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                    • Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CAA0C Relevance: .3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 1583075380-0
                                                                    • Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                    • Instruction ID: ad433e7b5a263c5125f8c8c8461972218c2ae23042a083053db8226b59a44e48
                                                                    • Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                    • Instruction Fuzzy Hash: 98A1A432B2958141DB649F2599A97BFA392FB84BD4F448135DE4D6FBC5CE3CE9018300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CEB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                    • Instruction ID: 9822a89d22009fbb7e43cfe1a984b36dda5ddcaed8f39223095e0fb1b98f995b
                                                                    • Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                    • Instruction Fuzzy Hash: F971DFB2F295464BD31CCB18ED9167866D6E7E4314F588136DA0A9FBD8EA3DFD408B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018598 Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                    • Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
                                                                    • Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                    • Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                    • Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
                                                                    • Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                    • Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                    • Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
                                                                    • Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                    • Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019300 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                    • Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
                                                                    • Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                    • Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
                                                                    • Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
                                                                    • Opcode Fuzzy Hash: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
                                                                    • Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                    • Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
                                                                    • Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                    • Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                    • Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
                                                                    • Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                    • Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                    • Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
                                                                    • Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                    • Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F917 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                    • Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
                                                                    • Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                    • Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                    • Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
                                                                    • Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                    • Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                    • Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
                                                                    • Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                    • Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                    • Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
                                                                    • Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                    • Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CA77C Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _getptd
                                                                    • String ID:
                                                                    • API String ID: 3186804695-0
                                                                    • Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                    • Instruction ID: 8a7552caf207069d283f23d4f97fa4146c4e637b3f2d53544fc255e2aea9464c
                                                                    • Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                    • Instruction Fuzzy Hash: 8C31D222B2978541EB44DF2AD8997AE67D1EB84BD0F194135EA4E1B7D5CF3CD801C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                    • Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
                                                                    • Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                    • Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                    • Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
                                                                    • Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                    • Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001F944 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                    • Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
                                                                    • Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                    • Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                    • Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
                                                                    • Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                    • Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386489035.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                    • Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
                                                                    • Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                    • Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CDF20 Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                    • Instruction ID: 274f8b93764fc08f011a3a64e12b6a32b77d440eab93117cd21f6bb4a29a2fc6
                                                                    • Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                    • Instruction Fuzzy Hash: EEB09229B1CB5886876987876844A19AA92BBACBE4A0440349D0D67BA4D93CEB408B80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C98A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                    • Instruction ID: 087c9da10066b92885f48c14966af1c93a50fd08a0a009823ecdd807a98e56cb
                                                                    • Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                    • Instruction Fuzzy Hash: CC418463B2A491C1EA64EB21DC912BC53E0AF84B54F056131DB4E6F1E6CE16EC45C354
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CD0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD0F5
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD111
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD139
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD142
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD158
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD161
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD177
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD180
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD19E
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD1A7
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD1D9
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD1E8
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD240
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD260
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3C70D4,?,?,?,?,?,00007FFF2F3C7194), ref: 00007FFF2F3CD279
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                    • API String ID: 3085332118-232180764
                                                                    • Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                    • Instruction ID: 6114564804da50da615e0d94399ee4e4f97609b02ebbb7beaed605a9a4bdadbe
                                                                    • Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                    • Instruction Fuzzy Hash: 3D51D620B2BB4680FD65EB92ADD417963E06F45BB0F484139ED5E2A7E5EE3CEC45C210
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3D028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3D07CE), ref: 00007FFF2F3D02F9
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3D07CE), ref: 00007FFF2F3D030D
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3D07CE), ref: 00007FFF2F3D0410
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CompareErrorInfoLastString
                                                                    • String ID:
                                                                    • API String ID: 3723911898-0
                                                                    • Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                    • Instruction ID: 2e68a38a95ede36aa629336b247d643cffa891911bfe147d6f9176c5a7235ab0
                                                                    • Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                    • Instruction Fuzzy Hash: E9E171A2B282828AEB709FE1988467D27D2FB44FA4F544535DA5D6B7C8CE7CED44C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C76A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
                                                                    • String ID:
                                                                    • API String ID: 3466867069-0
                                                                    • Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                    • Instruction ID: 4c42e9d7b7d0b903eb87f2a9fa2f8d40425bfd7fa3415d1e19c1ccfc81e861ba
                                                                    • Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                    • Instruction Fuzzy Hash: 70718921F3B60F81FA69A7599CD627C22D1AF45BB0F584536CE5E2E6E1DE2CEC41C201
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C2E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1575098132-0
                                                                    • Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                    • Instruction ID: c8cb0d3b8637a568071d96bf94cb85b1a22d650185968100cfa28b093b8e9460
                                                                    • Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                    • Instruction Fuzzy Hash: 9B31E816B3F54285FE68EAA198E177852D1AF80F64F082539EA0E3F6C6CF1DEC418355
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CA250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorInfoLast
                                                                    • String ID:
                                                                    • API String ID: 189849726-0
                                                                    • Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                    • Instruction ID: 38fbe085d12f375b958ca52ee9d4b6b3cedfd847b938771ee3abaced30eb6f28
                                                                    • Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                    • Instruction Fuzzy Hash: ABB1C032B2A69186DB20CF25A8942AD77D0FB48B64F444135EB9D9B7D1DF3DE941C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C4F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                    • Instruction ID: b9e525de4d8d666235f028a2fad16730ab40004a05f41d37b79e308a1d769251
                                                                    • Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                    • Instruction Fuzzy Hash: 8E41EA33B2B69284EE65DE61D9D03B823E0AF84B64F091435DA0E6E6D5CF2DEC91C351
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3D0A34 Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
                                                                    • String ID:
                                                                    • API String ID: 3451773520-0
                                                                    • Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                    • Instruction ID: a45822be256683838bbd8ebe152bf1e383d32e35ce794a2962fb9f6484355ac0
                                                                    • Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                    • Instruction Fuzzy Hash: A0A1C465F2E64641EA10ABE1AD8027A62D1FF40FB8F548635D91E6F7C9DE3CEC558300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CE23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE292
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE2B1
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE356
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE3B5
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE3F0
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE42C
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE46C
                                                                    • free.LIBCMT ref: 00007FFF2F3CE47A
                                                                    • free.LIBCMT ref: 00007FFF2F3CE49C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$Infofree
                                                                    • String ID:
                                                                    • API String ID: 1638741495-0
                                                                    • Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                    • Instruction ID: ceb0fd1dd34df4d8afed637884f446d924951205b66d50dd4bd381df4876ae09
                                                                    • Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                    • Instruction Fuzzy Hash: 6361E632B2968286E7209F619C801B976D5FF847B8F544A35DA5D6BBD4DF3CED818300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                    • String ID:
                                                                    • API String ID: 2551688548-0
                                                                    • Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                    • Instruction ID: 73fca581a3579cf9559d7c2de5c50e3eda69211234f4c65998889563f78223bf
                                                                    • Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                    • Instruction Fuzzy Hash: 2A417C21B2B64281FA50AB51ECC017972E4BF88BA4F444135EA8E6B7E5EF3CEC55C705
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C8F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F3C9206), ref: 00007FFF2F3C8F94
                                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F3C9206), ref: 00007FFF2F3C8FA6
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F3C9206), ref: 00007FFF2F3C9006
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F3C9206), ref: 00007FFF2F3C90BC
                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F3C9206), ref: 00007FFF2F3C90D3
                                                                    • free.LIBCMT ref: 00007FFF2F3C90E4
                                                                    • GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F3C9206), ref: 00007FFF2F3C9161
                                                                    • free.LIBCMT ref: 00007FFF2F3C9171
                                                                      • Part of subcall function 00007FFF2F3CE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE292
                                                                      • Part of subcall function 00007FFF2F3CE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE2B1
                                                                      • Part of subcall function 00007FFF2F3CE23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE3B5
                                                                      • Part of subcall function 00007FFF2F3CE23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F3CE3F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3535580693-0
                                                                    • Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                    • Instruction ID: 978706bc1a8d2fd6ba8b014835dfde851d33fdd14838da7c28d1db919a5a2a02
                                                                    • Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                    • Instruction Fuzzy Hash: 6061B532B2669286E7609F61DCD45786BD2FB44BF8B154235EA1D2BBD4CE3CED418340
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C3758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStartupInfoA.KERNEL32 ref: 00007FFF2F3C377D
                                                                      • Part of subcall function 00007FFF2F3C3108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F3C2DA3,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C314D
                                                                    • GetFileType.KERNEL32 ref: 00007FFF2F3C38FA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: FileInfoSleepStartupType
                                                                    • String ID: @
                                                                    • API String ID: 1527402494-2766056989
                                                                    • Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                    • Instruction ID: f49eb5be2c82d53ad7bfc6579882d13a2a1cc9a0faef9bb5c4dd1be172269f09
                                                                    • Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                    • Instruction Fuzzy Hash: 13917C22B2968281E7108B24DC887682AE5FB06774F658735C67E5B3D0DF7DEC46C305
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C25F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$_getptd
                                                                    • String ID: +$-$0$0
                                                                    • API String ID: 3432092939-699404926
                                                                    • Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                    • Instruction ID: baedc3837a8ddf5f377dcb84265638c4c6a6fa346d6ee84a66828532fdd7705d
                                                                    • Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                    • Instruction Fuzzy Hash: 2171E222F2E68285F7B546168CD477E26D0BB41F74F154136CE9E2A2D2DE7CEC818701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C6AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _FF_MSGBANNER.LIBCMT ref: 00007FFF2F3C6ADF
                                                                      • Part of subcall function 00007FFF2F3C6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF2F3C7194,?,?,?,?,00007FFF2F3C6C69,?,?,00000000,00007FFF2F3C30C0), ref: 00007FFF2F3C6FCF
                                                                      • Part of subcall function 00007FFF2F3C334C: ExitProcess.KERNEL32 ref: 00007FFF2F3C335B
                                                                      • Part of subcall function 00007FFF2F3C309C: Sleep.KERNEL32(?,?,00000000,00007FFF2F3C6B19,?,?,00000000,00007FFF2F3C6BC3,?,?,?,?,?,?,00000000,00007FFF2F3C2DC8), ref: 00007FFF2F3C30D2
                                                                    • _errno.LIBCMT ref: 00007FFF2F3C6B21
                                                                    • _lock.LIBCMT ref: 00007FFF2F3C6B35
                                                                    • free.LIBCMT ref: 00007FFF2F3C6B57
                                                                    • _errno.LIBCMT ref: 00007FFF2F3C6B5C
                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FFF2F3C6BC3,?,?,?,?,?,?,00000000,00007FFF2F3C2DC8,?,?,?,00007FFF2F3C2DFF), ref: 00007FFF2F3C6B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
                                                                    • String ID:
                                                                    • API String ID: 1354249094-0
                                                                    • Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                    • Instruction ID: 5987efee2d45901a7cb0ec25dddb7fdefc87c81bbe14beeb375909920de90534
                                                                    • Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                    • Instruction Fuzzy Hash: BC213D21B3AA4282F664AB529C9437A62D4EF847A4F045434EA4E6E6C2CF7CEC418B10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C2D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C2D7A
                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C2D88
                                                                    • SetLastError.KERNEL32(?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C2DE0
                                                                      • Part of subcall function 00007FFF2F3C3108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F3C2DA3,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C314D
                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C2DB4
                                                                    • free.LIBCMT ref: 00007FFF2F3C2DD7
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FFF2F3C2DC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                    • String ID:
                                                                    • API String ID: 3106088686-0
                                                                    • Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                    • Instruction ID: d24c647623e567b4c662e6c4b172221004aa56e14f8ab01344cfcf8d26329547
                                                                    • Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                    • Instruction Fuzzy Hash: C3012525B2AB4386FA555BE59CC417862D2BF48B70F548134D92E6A3D5DE3CEC44C630
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C9DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                    • Instruction ID: d637ead84b7ab8a6c924c0dd2511689a836b06291c39697c7c8ea76e3137465a
                                                                    • Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                    • Instruction Fuzzy Hash: 7E010953B2E41291EE60EBE1DCE113417E1AF90B20F4A1031D61E6E6D2CF6EFC808354
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C9E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                    • Instruction ID: 29952a71b353dd1e55520d03a0d130fba569690ecaa9e59767c58fac674f87ab
                                                                    • Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                    • Instruction Fuzzy Hash: A2B19132B2AB4586EB20DB62E8906EA77E0FB85B64F400531EA8E5B785DF3DD505C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C60B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$Sleep_errno
                                                                    • String ID:
                                                                    • API String ID: 2081351063-0
                                                                    • Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                    • Instruction ID: a2c15ff23934b2e0a64cada7abb66f8892f8a569758274f2dfc3b8fd4df50d78
                                                                    • Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                    • Instruction Fuzzy Hash: 8A314F62B2A64285EB55AB22CD9127D66E1AF84FE4F458035DE0D2F3D6DE3DEC01C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C72D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DecodePointer.KERNEL32(?,?,?,00007FFF2F3C73E5,?,?,?,?,00007FFF2F3C34D2,?,?,?,00007FFF2F3C21CB), ref: 00007FFF2F3C72FD
                                                                    • DecodePointer.KERNEL32(?,?,?,00007FFF2F3C73E5,?,?,?,?,00007FFF2F3C34D2,?,?,?,00007FFF2F3C21CB), ref: 00007FFF2F3C730C
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF2F3C73E5,?,?,?,?,00007FFF2F3C34D2,?,?,?,00007FFF2F3C21CB), ref: 00007FFF2F3C7389
                                                                      • Part of subcall function 00007FFF2F3C318C: realloc.LIBCMT ref: 00007FFF2F3C31B7
                                                                      • Part of subcall function 00007FFF2F3C318C: Sleep.KERNEL32(?,?,00000000,00007FFF2F3C7379,?,?,?,00007FFF2F3C73E5,?,?,?,?,00007FFF2F3C34D2), ref: 00007FFF2F3C31D3
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF2F3C73E5,?,?,?,?,00007FFF2F3C34D2,?,?,?,00007FFF2F3C21CB), ref: 00007FFF2F3C7398
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF2F3C73E5,?,?,?,?,00007FFF2F3C34D2,?,?,?,00007FFF2F3C21CB), ref: 00007FFF2F3C73A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                    • String ID:
                                                                    • API String ID: 1310268301-0
                                                                    • Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                    • Instruction ID: cc7c36ee128b4ac4f0ee15b20913ffb260d9aba4b78f49ba69b73963acdc19f6
                                                                    • Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                    • Instruction Fuzzy Hash: 9D216011B2B64655EA10AB62EDC80B9A2D1BB45FE0F444835DE0D2F7D6DE7CF885C344
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C71A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                    • String ID:
                                                                    • API String ID: 1310268301-0
                                                                    • Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                    • Instruction ID: 0e3442ae90b4c65d10623458a47b302ec1c210c7b936273856026399d1cf2cca
                                                                    • Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                    • Instruction Fuzzy Hash: 68217111B2BA8654EE44EB51EDC41A9A2E1AB45BE0F484435EE5D2F7D5DE7CF8448300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C3310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FFF2F3C3359,?,?,00000028,00007FFF2F3C6C7D,?,?,00000000,00007FFF2F3C30C0,?,?,00000000,00007FFF2F3C6B19), ref: 00007FFF2F3C331F
                                                                    • GetProcAddress.KERNEL32(?,?,000000FF,00007FFF2F3C3359,?,?,00000028,00007FFF2F3C6C7D,?,?,00000000,00007FFF2F3C30C0,?,?,00000000,00007FFF2F3C6B19), ref: 00007FFF2F3C3334
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 1646373207-1276376045
                                                                    • Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                    • Instruction ID: fc0e70cc78cbd730b9467be5dd81864684d99916dda313cf3c6e0b0114f19c09
                                                                    • Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                    • Instruction Fuzzy Hash: 33E04C51F2A60241EF195BD1ACD427412D17F58B71B485479C85F2E3E0DE6CEE99C214
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FFF2F3C309C: Sleep.KERNEL32(?,?,00000000,00007FFF2F3C6B19,?,?,00000000,00007FFF2F3C6BC3,?,?,?,?,?,?,00000000,00007FFF2F3C2DC8), ref: 00007FFF2F3C30D2
                                                                    • free.LIBCMT ref: 00007FFF2F3C58A5
                                                                    • free.LIBCMT ref: 00007FFF2F3C58C1
                                                                      • Part of subcall function 00007FFF2F3C6550: RtlCaptureContext.KERNEL32 ref: 00007FFF2F3C658F
                                                                      • Part of subcall function 00007FFF2F3C6550: IsDebuggerPresent.KERNEL32 ref: 00007FFF2F3C662D
                                                                      • Part of subcall function 00007FFF2F3C6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3C6637
                                                                      • Part of subcall function 00007FFF2F3C6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3C6642
                                                                      • Part of subcall function 00007FFF2F3C6550: GetCurrentProcess.KERNEL32 ref: 00007FFF2F3C6658
                                                                      • Part of subcall function 00007FFF2F3C6550: TerminateProcess.KERNEL32 ref: 00007FFF2F3C6666
                                                                    • free.LIBCMT ref: 00007FFF2F3C58D6
                                                                      • Part of subcall function 00007FFF2F3C3024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C303A
                                                                      • Part of subcall function 00007FFF2F3C3024: _errno.LIBCMT ref: 00007FFF2F3C3044
                                                                      • Part of subcall function 00007FFF2F3C3024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C304C
                                                                    • free.LIBCMT ref: 00007FFF2F3C58F5
                                                                    • free.LIBCMT ref: 00007FFF2F3C5911
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
                                                                    • String ID:
                                                                    • API String ID: 2294642566-0
                                                                    • Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                    • Instruction ID: 6aa0fb0b06546b362290c0605262036cbb6125989d4ced9b3618987137937f01
                                                                    • Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                    • Instruction Fuzzy Hash: DC519037B19A9182EB609F29EC8016A63E5FB84BA8F484135DE4D5B7D4DE3CDC46C340
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C5B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _getptd
                                                                    • String ID:
                                                                    • API String ID: 3186804695-0
                                                                    • Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                    • Instruction ID: a76b3d45f7f1af54b8da409b081870c295f7b83c9d84020b3c283489a98b70f3
                                                                    • Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                    • Instruction Fuzzy Hash: 4D818C72B2A78296DB64DB25E9846AAB3E0FB44794F504136DB4D4BB94DF3CE850CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C61F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$DecodePointer_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 4201827665-0
                                                                    • Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                    • Instruction ID: 160ec7551dd6e286a1da7ae5b076a67844bcfe5693d4e38641fbade8af7d99ec
                                                                    • Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                    • Instruction Fuzzy Hash: 5D516A31B2A64286FB549B66EC907BA22D1FF447A4F104039DD5D6B3D2DE7CEC408B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CF9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointercalloc
                                                                    • String ID:
                                                                    • API String ID: 1531210114-0
                                                                    • Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                    • Instruction ID: c47d9d12eb4fb973c3efb25ae8c1b0cea0686e617dc2872fab95e6ea37a412fc
                                                                    • Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                    • Instruction Fuzzy Hash: 4521A136B2A74245FB149B61A89537AA2D0AF44BA0F048534EF4DAF7C6DF3CEC108A10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lock.LIBCMT ref: 00007FFF2F3C53B2
                                                                    • free.LIBCMT ref: 00007FFF2F3C53D7
                                                                      • Part of subcall function 00007FFF2F3C3024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C303A
                                                                      • Part of subcall function 00007FFF2F3C3024: _errno.LIBCMT ref: 00007FFF2F3C3044
                                                                      • Part of subcall function 00007FFF2F3C3024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F3C2DDC,?,?,?,00007FFF2F3C2DFF,?,?,?,00007FFF2F3C254F,?,?,?,00007FFF2F3C262A), ref: 00007FFF2F3C304C
                                                                    • _lock.LIBCMT ref: 00007FFF2F3C53F2
                                                                    • free.LIBCMT ref: 00007FFF2F3C5438
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lockfree$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 3188102813-0
                                                                    • Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                    • Instruction ID: 95c692d28d462af615c2a073576bd11bb0af0aaae05836f349369bbc3d767f83
                                                                    • Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                    • Instruction Fuzzy Hash: BC115E22B3B50285FF959BB1DCE137922D09F84B34F045135D61E2E3C6DE6CAC418721
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C2C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalDeleteSection$Freefree
                                                                    • String ID:
                                                                    • API String ID: 1250194111-0
                                                                    • Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                    • Instruction ID: 2171b79729d846742b612b2dbbfa54019ed7189a9e8525c5b8bb6b7d97f01cd9
                                                                    • Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                    • Instruction Fuzzy Hash: D3116D75F2AA4286EA148B95EC8013873E0FF40B60F588530DA6E2B6D5CF3CEC958B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$Sleep_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 2111406555-0
                                                                    • Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                    • Instruction ID: 2f2be2e340456134a8fcba5f5a389f45a605c73c9721411b36ca3232399c91e7
                                                                    • Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                    • Instruction Fuzzy Hash: 4E017122B2B64286F7446B76DC917AD62E0EF44BA4F448434DA0D6B3C7CE2CEC508761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3CBB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$_getptd
                                                                    • String ID: #
                                                                    • API String ID: 3432092939-1885708031
                                                                    • Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                    • Instruction ID: c78afae374fa8b1afcdefc0ca271b6efefd70237714268f082568e3be01eb884
                                                                    • Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                    • Instruction Fuzzy Hash: 07518222B1E68585D7218F25E8842BEBBE4F781BA0F584131DB9D2B795CE3DDC41CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF2F3C9BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.386628189.00007FFF2F381000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F380000, based on PE: true
                                                                    • Associated: 00000002.00000002.386622364.00007FFF2F380000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386728906.00007FFF2F3D2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386780878.00007FFF2F3D6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.386791885.00007FFF2F3D9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff2f380000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                    • Instruction ID: 8e852f18aee527952bae7aae55552c5c20252dd24e87be8ea7da9810b2db4b11
                                                                    • Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                    • Instruction Fuzzy Hash: 7B51A432B2B68586EA609F11E8D42B97BE0BB45BA0F564531DB5E2B7C1CE3DED41C310
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:11.1%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:11
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 3416 22572a70000 3417 22572a70183 3416->3417 3418 22572a7043e VirtualAlloc 3417->3418 3422 22572a70462 3418->3422 3419 22572a70a7b 3420 22572a70531 GetNativeSystemInfo 3420->3419 3421 22572a7056d VirtualAlloc 3420->3421 3426 22572a7058b 3421->3426 3422->3419 3422->3420 3423 22572a70a00 3423->3419 3424 22572a70a56 RtlAddFunctionTable 3423->3424 3424->3419 3425 22572a709d9 VirtualProtect 3425->3426 3426->3423 3426->3425 3426->3426

                                                                    Executed Functions

                                                                    Function 0000022572A70000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 22572a70000-22572a70460 call 22572a70aa8 * 2 VirtualAlloc 22 22572a7048a-22572a70494 0->22 23 22572a70462-22572a70466 0->23 26 22572a7049a-22572a7049e 22->26 27 22572a70a91-22572a70aa6 22->27 24 22572a70468-22572a70488 23->24 24->22 24->24 26->27 28 22572a704a4-22572a704a8 26->28 28->27 29 22572a704ae-22572a704b2 28->29 29->27 30 22572a704b8-22572a704bf 29->30 30->27 31 22572a704c5-22572a704d2 30->31 31->27 32 22572a704d8-22572a704e1 31->32 32->27 33 22572a704e7-22572a704f4 32->33 33->27 34 22572a704fa-22572a70507 33->34 35 22572a70509-22572a70511 34->35 36 22572a70531-22572a70567 GetNativeSystemInfo 34->36 38 22572a70513-22572a70518 35->38 36->27 37 22572a7056d-22572a70589 VirtualAlloc 36->37 39 22572a7058b-22572a7059e 37->39 40 22572a705a0-22572a705ac 37->40 41 22572a7051a-22572a7051f 38->41 42 22572a70521 38->42 39->40 44 22572a705af-22572a705b2 40->44 43 22572a70523-22572a7052f 41->43 42->43 43->36 43->38 46 22572a705b4-22572a705bf 44->46 47 22572a705c1-22572a705db 44->47 46->44 48 22572a7061b-22572a70622 47->48 49 22572a705dd-22572a705e2 47->49 50 22572a706db-22572a706e2 48->50 51 22572a70628-22572a7062f 48->51 52 22572a705e4-22572a705ea 49->52 54 22572a706e8-22572a706f9 50->54 55 22572a70864-22572a7086b 50->55 51->50 53 22572a70635-22572a70642 51->53 56 22572a705ec-22572a70609 52->56 57 22572a7060b-22572a70619 52->57 53->50 60 22572a70648-22572a7064f 53->60 61 22572a70702-22572a70705 54->61 58 22572a70917-22572a70929 55->58 59 22572a70871-22572a7087f 55->59 56->56 56->57 57->48 57->52 62 22572a70a07-22572a70a1a 58->62 63 22572a7092f-22572a70937 58->63 64 22572a7090e-22572a70911 59->64 65 22572a70654-22572a70658 60->65 66 22572a706fb-22572a706ff 61->66 67 22572a70707-22572a7070a 61->67 88 22572a70a1c-22572a70a27 62->88 89 22572a70a40-22572a70a4a 62->89 68 22572a7093b-22572a7093f 63->68 64->58 72 22572a70884-22572a708a9 64->72 69 22572a706c0-22572a706ca 65->69 66->61 70 22572a7070c-22572a7071d 67->70 71 22572a70788-22572a7078e 67->71 73 22572a709ec-22572a709fa 68->73 74 22572a70945-22572a7095a 68->74 78 22572a706cc-22572a706d2 69->78 79 22572a7065a-22572a70669 69->79 75 22572a70794-22572a707a2 70->75 76 22572a7071f-22572a70720 70->76 71->75 94 22572a708ab-22572a708b1 72->94 95 22572a70907-22572a7090c 72->95 73->68 84 22572a70a00-22572a70a01 73->84 81 22572a7095c-22572a7095e 74->81 82 22572a7097b-22572a7097d 74->82 90 22572a707a8 75->90 91 22572a7085d-22572a7085e 75->91 87 22572a70722-22572a70784 76->87 78->65 80 22572a706d4-22572a706d5 78->80 85 22572a7066b-22572a70678 79->85 86 22572a7067a-22572a7067e 79->86 80->50 92 22572a70960-22572a7096c 81->92 93 22572a7096e-22572a70979 81->93 97 22572a709a2-22572a709a4 82->97 98 22572a7097f-22572a70981 82->98 84->62 96 22572a706bd-22572a706be 85->96 99 22572a7068c-22572a70690 86->99 100 22572a70680-22572a7068a 86->100 87->87 101 22572a70786 87->101 102 22572a70a38-22572a70a3e 88->102 104 22572a70a4c-22572a70a54 89->104 105 22572a70a7b-22572a70a8e 89->105 103 22572a707ae-22572a707d4 90->103 91->55 110 22572a709be-22572a709bf 92->110 93->110 106 22572a708bb-22572a708c8 94->106 107 22572a708b3-22572a708b9 94->107 95->64 96->69 116 22572a709ac-22572a709bb 97->116 117 22572a709a6-22572a709aa 97->117 111 22572a70989-22572a7098b 98->111 112 22572a70983-22572a70987 98->112 114 22572a706a5-22572a706a9 99->114 115 22572a70692-22572a706a3 99->115 113 22572a706b6-22572a706ba 100->113 101->75 102->89 108 22572a70a29-22572a70a35 102->108 129 22572a707d6-22572a707d9 103->129 130 22572a70835-22572a70839 103->130 104->105 109 22572a70a56-22572a70a79 RtlAddFunctionTable 104->109 105->27 120 22572a708ca-22572a708d1 106->120 121 22572a708d3-22572a708e5 106->121 119 22572a708ea-22572a708fe 107->119 108->102 109->105 118 22572a709c5-22572a709cb 110->118 111->97 124 22572a7098d-22572a7098f 111->124 112->110 113->96 114->96 125 22572a706ab-22572a706b3 114->125 115->113 116->110 117->110 126 22572a709d9-22572a709e9 VirtualProtect 118->126 127 22572a709cd-22572a709d3 118->127 119->95 138 22572a70900-22572a70905 119->138 120->120 120->121 121->119 131 22572a70999-22572a709a0 124->131 132 22572a70991-22572a70997 124->132 125->113 126->73 127->126 134 22572a707db-22572a707e1 129->134 135 22572a707e3-22572a707f0 129->135 136 22572a7083b 130->136 137 22572a70844-22572a70850 130->137 131->118 132->110 139 22572a70812-22572a7082c 134->139 140 22572a707fb-22572a7080d 135->140 141 22572a707f2-22572a707f9 135->141 136->137 137->103 142 22572a70856-22572a70857 137->142 138->94 139->130 144 22572a7082e-22572a70833 139->144 140->139 141->140 141->141 142->91 144->129
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.383651813.0000022572A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022572A70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_22572a70000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: ce55be65d5148906a8f00a8c93fd39d55a5d1138af6217e3a766c4227473026a
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 5972E330618E489FEB69DF58CC897B9B7E1FB94305F10862DE88AC3251DBB4D542CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 223 180021838-180021845 220->223 224 180021c35 220->224 228 180021bdf-180021bee 221->228 225 1800219f3-180021a7c call 180001b1c 222->225 226 180021676-18002167b 222->226 224->217 225->217 229 1800219e4-1800219ee 226->229 230 180021681-180021686 226->230 228->217 229->217 232 1800219d5-1800219df call 18001dfb4 230->232 233 18002168c-180021691 230->233 232->217 235 180021697-18002169c 233->235 236 18002190c-1800219a5 call 18000abac 233->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 246 1800219b2-1800219c6 243->246 247 1800219cb-1800219d0 243->247 244->223 246->217 247->217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 252 180028c20-180028c53 253 180028c58-180028c5e 252->253 254 180028c64-180028c6a 253->254 255 1800290ae-180029147 call 180013e28 253->255 256 1800290a4-1800290a9 254->256 257 180028c70-180028c76 254->257 262 18002914c-180029152 255->262 256->253 259 180029003-18002909f call 180008ea0 257->259 260 180028c7c-180028c82 257->260 259->253 264 180028c88-180028c8e 260->264 265 180028fab-180028ffe call 1800223c4 260->265 268 180029154 262->268 269 18002919c-1800291a8 262->269 266 180028c94-180028c9a 264->266 267 180028df6-180028e1e 264->267 265->253 272 180028d62-180028ddb call 180016bd8 266->272 273 180028ca0-180028ca6 266->273 267->253 275 180028e24-180028e3c 267->275 268->253 285 180028de0-180028de6 272->285 276 180028cac-180028cb2 273->276 277 180029159-180029197 call 1800164c8 273->277 279 180028e42-180028ee6 call 18001d49c 275->279 280 180028ee9-180028f0b 275->280 276->262 283 180028cb8-180028d5d call 180010c00 276->283 277->269 279->280 281 180028f94-180028f95 280->281 282 180028f11-180028f92 call 18001d49c 280->282 288 180028f98-180028f9b 281->288 282->288 283->253 285->269 290 180028dec-180028df1 285->290 288->253 293 180028fa1-180028fa6 288->293 290->253 293->253
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :G$Q27$_5$yy8x$Mh
                                                                    • API String ID: 0-3587547327
                                                                    • Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
                                                                    • Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 295 18000c608-18000c62d 296 18000c632-18000c637 295->296 297 18000cc8a-18000cc8f 296->297 298 18000c63d 296->298 299 18000cc95-18000cc9a 297->299 300 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 297->300 301 18000c643-18000c648 298->301 302 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 298->302 304 18000ce33-18000ced7 call 180008ad8 call 18001c32c 299->304 305 18000cca0-18000cca5 299->305 328 18000cfb4-18000d00a call 1800194a4 300->328 306 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 301->306 307 18000c64e-18000c653 301->307 329 18000cc28-18000cc85 call 1800194a4 302->329 343 18000cedc-18000cf26 call 1800194a4 304->343 311 18000cd35-18000cdce call 18000703c call 18001c32c 305->311 312 18000ccab-18000ccb0 305->312 306->296 314 18000c9c1-18000ca52 call 18002870c call 18001c32c 307->314 315 18000c659-18000c65e 307->315 348 18000cdd3-18000ce2e call 1800194a4 311->348 320 18000ccb6-18000cd30 call 180021434 312->320 321 18000d00f-18000d014 312->321 351 18000ca57-18000caa0 call 1800194a4 314->351 323 18000c664-18000c669 315->323 324 18000c8bb-18000c963 call 180002610 call 18001c32c 315->324 320->296 321->296 331 18000d01a-18000d020 321->331 335 18000c7b2-18000c85a call 180019618 call 18001c32c 323->335 336 18000c66f-18000c674 323->336 363 18000c968-18000c9bc call 1800194a4 324->363 328->321 329->296 368 18000c85f-18000c8b6 call 1800194a4 335->368 336->321 346 18000c67a-18000c73d call 180002178 call 18001c32c 336->346 343->296 369 18000c742-18000c7ad call 1800194a4 346->369 348->296 351->296 363->296 368->296 369->296
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 390 18001c964-18001c99f 391 18001c9a2-18001c9a7 390->391 392 18001cbac-18001cbfd call 18000abac 391->392 393 18001c9ad-18001c9b2 391->393 400 18001cc02-18001cc08 392->400 394 18001c9b8-18001c9bd 393->394 395 18001cb50-18001cba7 call 180010dd0 393->395 397 18001c9c3-18001c9c8 394->397 398 18001cae9-18001cb4b call 180001b1c 394->398 395->391 401 18001cc25-18001cc90 call 180001b1c 397->401 402 18001c9ce-18001c9d3 397->402 398->391 404 18001cc14 400->404 405 18001cc0a-18001cc0f 400->405 414 18001cc95-18001cca1 401->414 408 18001cac1-18001cacf 402->408 409 18001c9d9-18001c9de 402->409 410 18001cc19-18001cc1e 404->410 405->391 416 18001cad5-18001cad9 408->416 412 18001c9e4-18001c9e9 409->412 413 18001cab7-18001cabc 409->413 410->414 415 18001cc20 410->415 412->410 417 18001c9ef-18001cab2 call 18002b4c4 412->417 413->391 415->391 418 18001cad1-18001cad2 416->418 419 18001cadb-18001cae4 416->419 417->391 418->416 419->391
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: xDC
                                                                    • API String ID: 0-90241050
                                                                    • Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
                                                                    • Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 433 180022010-18002203b 434 18002203d-180022043 433->434 435 180022338-1800223a1 call 18001455c 434->435 436 180022049-18002204f 434->436 443 1800223a6-1800223ac 435->443 437 180022055-18002205b 436->437 438 18002232e-180022333 436->438 441 180022061-180022067 437->441 442 1800222be-180022329 call 180019cb4 437->442 438->434 445 180022069-18002206f 441->445 446 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 441->446 442->434 443->434 447 1800223b2-1800223c2 443->447 445->443 450 180022075-180022083 445->450 446->443 451 180022089-18002208d 450->451 453 180022085-180022086 451->453 454 18002208f-180022098 451->454 453->451 454->434
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 643 1800059b8-180005a02 644 180005a04-180005a09 643->644 645 180006107-1800061a6 call 180001b1c 644->645 646 180005a0f-180005a14 644->646 657 1800061ab-1800061b0 645->657 647 180005a1a-180005a1f 646->647 648 180005fcd-180006102 call 180016314 646->648 651 180005a25-180005a2a 647->651 652 180005da6-180005fb1 call 1800093f0 647->652 648->644 655 1800061bb-18000625a call 180001b1c 651->655 656 180005a30-180005a35 651->656 668 180005fc3-180005fc8 652->668 669 180005fb3-180005fbe 652->669 662 18000625f-180006271 655->662 659 180005a3b-180005a40 656->659 660 180005d7e-180005d8c 656->660 661 1800061b6 657->661 657->662 665 180005a46-180005a4b 659->665 666 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 659->666 667 180005d92-180005d96 660->667 661->644 671 180005a51-180005a56 665->671 672 180005ad8-180005b68 call 18000abac 665->672 666->644 673 180005d98-180005da1 667->673 674 180005d8e-180005d8f 667->674 668->644 669->644 671->657 676 180005a5c-180005ad3 call 180007958 671->676 672->662 681 180005b6e-180005b73 672->681 673->644 674->667 676->644 681->644
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 686 180013780-1800137f4 call 1800142a0 689 1800137fb-180013800 686->689 690 180013806-18001380b 689->690 691 180013c55-180013ce4 call 18002620c 689->691 692 180013811-180013816 690->692 693 180013c4b-180013c50 690->693 700 180013ce6-180013ceb 691->700 701 180013cf0 691->701 695 18001381c-180013821 692->695 696 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 692->696 693->689 698 180013cf5-180013cfa 695->698 699 180013827-1800138a9 call 18000290c 695->699 696->689 704 1800138ae-1800138cc 698->704 705 180013d00 698->705 699->704 700->689 701->698 705->689
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >97"$?$LsRW$~x
                                                                    • API String ID: 0-2554301858
                                                                    • Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
                                                                    • Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.382880372.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$,$2S=$i`}G
                                                                    • API String ID: 0-4285990414
                                                                    • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                    • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:10.7%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:11
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 3264 1d80d4e0000 3265 1d80d4e0183 3264->3265 3266 1d80d4e043e VirtualAlloc 3265->3266 3270 1d80d4e0462 3266->3270 3267 1d80d4e0a7b 3268 1d80d4e0531 GetNativeSystemInfo 3268->3267 3269 1d80d4e056d VirtualAlloc 3268->3269 3274 1d80d4e058b 3269->3274 3270->3267 3270->3268 3271 1d80d4e0a00 3271->3267 3272 1d80d4e0a56 RtlAddFunctionTable 3271->3272 3272->3267 3273 1d80d4e09d9 VirtualProtect 3273->3274 3274->3271 3274->3273

                                                                    Executed Functions

                                                                    Function 000001D80D4E0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 1d80d4e0000-1d80d4e0460 call 1d80d4e0aa8 * 2 VirtualAlloc 22 1d80d4e0462-1d80d4e0466 0->22 23 1d80d4e048a-1d80d4e0494 0->23 24 1d80d4e0468-1d80d4e0488 22->24 26 1d80d4e0a91-1d80d4e0aa6 23->26 27 1d80d4e049a-1d80d4e049e 23->27 24->23 24->24 27->26 28 1d80d4e04a4-1d80d4e04a8 27->28 28->26 29 1d80d4e04ae-1d80d4e04b2 28->29 29->26 30 1d80d4e04b8-1d80d4e04bf 29->30 30->26 31 1d80d4e04c5-1d80d4e04d2 30->31 31->26 32 1d80d4e04d8-1d80d4e04e1 31->32 32->26 33 1d80d4e04e7-1d80d4e04f4 32->33 33->26 34 1d80d4e04fa-1d80d4e0507 33->34 35 1d80d4e0531-1d80d4e0567 GetNativeSystemInfo 34->35 36 1d80d4e0509-1d80d4e0511 34->36 35->26 37 1d80d4e056d-1d80d4e0589 VirtualAlloc 35->37 38 1d80d4e0513-1d80d4e0518 36->38 39 1d80d4e05a0-1d80d4e05ac 37->39 40 1d80d4e058b-1d80d4e059e 37->40 41 1d80d4e0521 38->41 42 1d80d4e051a-1d80d4e051f 38->42 44 1d80d4e05af-1d80d4e05b2 39->44 40->39 43 1d80d4e0523-1d80d4e052f 41->43 42->43 43->35 43->38 46 1d80d4e05b4-1d80d4e05bf 44->46 47 1d80d4e05c1-1d80d4e05db 44->47 46->44 48 1d80d4e05dd-1d80d4e05e2 47->48 49 1d80d4e061b-1d80d4e0622 47->49 50 1d80d4e05e4-1d80d4e05ea 48->50 51 1d80d4e06db-1d80d4e06e2 49->51 52 1d80d4e0628-1d80d4e062f 49->52 56 1d80d4e05ec-1d80d4e0609 50->56 57 1d80d4e060b-1d80d4e0619 50->57 54 1d80d4e0864-1d80d4e086b 51->54 55 1d80d4e06e8-1d80d4e06f9 51->55 52->51 53 1d80d4e0635-1d80d4e0642 52->53 53->51 58 1d80d4e0648-1d80d4e064f 53->58 60 1d80d4e0917-1d80d4e0929 54->60 61 1d80d4e0871-1d80d4e087f 54->61 59 1d80d4e0702-1d80d4e0705 55->59 56->56 56->57 57->49 57->50 63 1d80d4e0654-1d80d4e0658 58->63 64 1d80d4e0707-1d80d4e070a 59->64 65 1d80d4e06fb-1d80d4e06ff 59->65 66 1d80d4e0a07-1d80d4e0a1a 60->66 67 1d80d4e092f-1d80d4e0937 60->67 62 1d80d4e090e-1d80d4e0911 61->62 62->60 72 1d80d4e0884-1d80d4e08a9 62->72 69 1d80d4e06c0-1d80d4e06ca 63->69 70 1d80d4e070c-1d80d4e071d 64->70 71 1d80d4e0788-1d80d4e078e 64->71 65->59 87 1d80d4e0a40-1d80d4e0a4a 66->87 88 1d80d4e0a1c-1d80d4e0a27 66->88 68 1d80d4e093b-1d80d4e093f 67->68 73 1d80d4e0945-1d80d4e095a 68->73 74 1d80d4e09ec-1d80d4e09fa 68->74 78 1d80d4e06cc-1d80d4e06d2 69->78 79 1d80d4e065a-1d80d4e0669 69->79 75 1d80d4e0794-1d80d4e07a2 70->75 76 1d80d4e071f-1d80d4e0720 70->76 71->75 94 1d80d4e0907-1d80d4e090c 72->94 95 1d80d4e08ab-1d80d4e08b1 72->95 80 1d80d4e095c-1d80d4e095e 73->80 81 1d80d4e097b-1d80d4e097d 73->81 74->68 83 1d80d4e0a00-1d80d4e0a01 74->83 89 1d80d4e085d-1d80d4e085e 75->89 90 1d80d4e07a8 75->90 86 1d80d4e0722-1d80d4e0784 76->86 78->63 91 1d80d4e06d4-1d80d4e06d5 78->91 84 1d80d4e067a-1d80d4e067e 79->84 85 1d80d4e066b-1d80d4e0678 79->85 92 1d80d4e0960-1d80d4e096c 80->92 93 1d80d4e096e-1d80d4e0979 80->93 97 1d80d4e09a2-1d80d4e09a4 81->97 98 1d80d4e097f-1d80d4e0981 81->98 83->66 99 1d80d4e0680-1d80d4e068a 84->99 100 1d80d4e068c-1d80d4e0690 84->100 96 1d80d4e06bd-1d80d4e06be 85->96 86->86 101 1d80d4e0786 86->101 104 1d80d4e0a4c-1d80d4e0a54 87->104 105 1d80d4e0a7b-1d80d4e0a8e 87->105 102 1d80d4e0a38-1d80d4e0a3e 88->102 89->54 103 1d80d4e07ae-1d80d4e07d4 90->103 91->51 110 1d80d4e09be-1d80d4e09bf 92->110 93->110 94->62 106 1d80d4e08b3-1d80d4e08b9 95->106 107 1d80d4e08bb-1d80d4e08c8 95->107 96->69 116 1d80d4e09a6-1d80d4e09aa 97->116 117 1d80d4e09ac-1d80d4e09bb 97->117 111 1d80d4e0983-1d80d4e0987 98->111 112 1d80d4e0989-1d80d4e098b 98->112 113 1d80d4e06b6-1d80d4e06ba 99->113 114 1d80d4e06a5-1d80d4e06a9 100->114 115 1d80d4e0692-1d80d4e06a3 100->115 101->75 102->87 108 1d80d4e0a29-1d80d4e0a35 102->108 129 1d80d4e07d6-1d80d4e07d9 103->129 130 1d80d4e0835-1d80d4e0839 103->130 104->105 109 1d80d4e0a56-1d80d4e0a79 RtlAddFunctionTable 104->109 105->26 119 1d80d4e08ea-1d80d4e08fe 106->119 120 1d80d4e08d3-1d80d4e08e5 107->120 121 1d80d4e08ca-1d80d4e08d1 107->121 108->102 109->105 118 1d80d4e09c5-1d80d4e09cb 110->118 111->110 112->97 124 1d80d4e098d-1d80d4e098f 112->124 113->96 114->96 125 1d80d4e06ab-1d80d4e06b3 114->125 115->113 116->110 117->110 126 1d80d4e09cd-1d80d4e09d3 118->126 127 1d80d4e09d9-1d80d4e09e9 VirtualProtect 118->127 119->94 138 1d80d4e0900-1d80d4e0905 119->138 120->119 121->120 121->121 131 1d80d4e0991-1d80d4e0997 124->131 132 1d80d4e0999-1d80d4e09a0 124->132 125->113 126->127 127->74 134 1d80d4e07e3-1d80d4e07f0 129->134 135 1d80d4e07db-1d80d4e07e1 129->135 136 1d80d4e0844-1d80d4e0850 130->136 137 1d80d4e083b 130->137 131->110 132->118 140 1d80d4e07f2-1d80d4e07f9 134->140 141 1d80d4e07fb-1d80d4e080d 134->141 139 1d80d4e0812-1d80d4e082c 135->139 136->103 142 1d80d4e0856-1d80d4e0857 136->142 137->136 138->95 139->130 144 1d80d4e082e-1d80d4e0833 139->144 140->140 140->141 141->139 142->89 144->129
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383967814.000001D80D4E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D80D4E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1d80d4e0000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: dea1723e80aab7b3ce1428a0b44b937bec720274bc3cc7c43bc077dd8ed96468
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 8472F430618A488BDB69DF28C885BFDB7E0FB95304F10462EE89AC3651DF74D586CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 224 180021838-180021845 220->224 225 180021c35 220->225 228 180021bdf-180021bee 221->228 226 1800219f3-180021a7c call 180001b1c 222->226 227 180021676-18002167b 222->227 225->217 226->217 229 1800219e4-1800219ee 227->229 230 180021681-180021686 227->230 228->217 229->217 232 1800219d5-1800219df call 18001dfb4 230->232 233 18002168c-180021691 230->233 232->217 235 180021697-18002169c 233->235 236 18002190c-1800219a5 call 18000abac 233->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 246 1800219b2-1800219c6 243->246 247 1800219cb-1800219d0 243->247 244->224 246->217 247->217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 252 18000c608-18000c62d 253 18000c632-18000c637 252->253 254 18000cc8a-18000cc8f 253->254 255 18000c63d 253->255 256 18000cc95-18000cc9a 254->256 257 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 254->257 258 18000c643-18000c648 255->258 259 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 255->259 261 18000ce33-18000ced7 call 180008ad8 call 18001c32c 256->261 262 18000cca0-18000cca5 256->262 285 18000cfb4-18000d00a call 1800194a4 257->285 263 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 258->263 264 18000c64e-18000c653 258->264 286 18000cc28-18000cc85 call 1800194a4 259->286 300 18000cedc-18000cf26 call 1800194a4 261->300 268 18000cd35-18000cdce call 18000703c call 18001c32c 262->268 269 18000ccab-18000ccb0 262->269 263->253 271 18000c9c1-18000ca52 call 18002870c call 18001c32c 264->271 272 18000c659-18000c65e 264->272 305 18000cdd3-18000ce2e call 1800194a4 268->305 279 18000ccb6-18000cd30 call 180021434 269->279 280 18000d00f-18000d014 269->280 308 18000ca57-18000caa0 call 1800194a4 271->308 282 18000c664-18000c669 272->282 283 18000c8bb-18000c963 call 180002610 call 18001c32c 272->283 279->253 280->253 288 18000d01a-18000d020 280->288 292 18000c7b2-18000c85a call 180019618 call 18001c32c 282->292 293 18000c66f-18000c674 282->293 316 18000c968-18000c9bc call 1800194a4 283->316 285->280 286->253 325 18000c85f-18000c8b6 call 1800194a4 292->325 293->280 303 18000c67a-18000c73d call 180002178 call 18001c32c 293->303 300->253 326 18000c742-18000c7ad call 1800194a4 303->326 305->253 308->253 316->253 325->253 326->253
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 358 180022010-18002203b 359 18002203d-180022043 358->359 360 180022338-1800223a1 call 18001455c 359->360 361 180022049-18002204f 359->361 368 1800223a6-1800223ac 360->368 362 180022055-18002205b 361->362 363 18002232e-180022333 361->363 366 180022061-180022067 362->366 367 1800222be-180022329 call 180019cb4 362->367 363->359 370 180022069-18002206f 366->370 371 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 366->371 367->359 368->359 372 1800223b2-1800223c2 368->372 370->368 375 180022075-180022083 370->375 371->368 376 180022089-18002208d 375->376 378 180022085-180022086 376->378 379 18002208f-180022098 376->379 378->376 379->359
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 568 1800059b8-180005a02 569 180005a04-180005a09 568->569 570 180006107-1800061a6 call 180001b1c 569->570 571 180005a0f-180005a14 569->571 583 1800061ab-1800061b0 570->583 572 180005a1a-180005a1f 571->572 573 180005fcd-180006102 call 180016314 571->573 576 180005a25-180005a2a 572->576 577 180005da6-180005fb1 call 1800093f0 572->577 573->569 581 1800061bb-18000625a call 180001b1c 576->581 582 180005a30-180005a35 576->582 590 180005fc3-180005fc8 577->590 591 180005fb3-180005fbe 577->591 588 18000625f-180006271 581->588 585 180005a3b-180005a40 582->585 586 180005d7e-180005d8c 582->586 587 1800061b6 583->587 583->588 592 180005a46-180005a4b 585->592 593 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 585->593 594 180005d92-180005d96 586->594 587->569 590->569 591->569 598 180005a51-180005a56 592->598 599 180005ad8-180005b68 call 18000abac 592->599 593->569 595 180005d98-180005da1 594->595 596 180005d8e-180005d8f 594->596 595->569 596->594 598->583 602 180005a5c-180005ad3 call 180007958 598->602 599->588 607 180005b6e-180005b73 599->607 602->569 607->569
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 611 180013780-1800137f4 call 1800142a0 614 1800137fb-180013800 611->614 615 180013806-18001380b 614->615 616 180013c55-180013ce4 call 18002620c 614->616 617 180013811-180013816 615->617 618 180013c4b-180013c50 615->618 625 180013ce6-180013ceb 616->625 626 180013cf0 616->626 620 18001381c-180013821 617->620 621 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 617->621 618->614 623 180013cf5-180013cfa 620->623 624 180013827-1800138a9 call 18000290c 620->624 621->614 629 1800138ae-1800138cc 623->629 630 180013d00 623->630 624->629 625->614 626->623 630->614
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 676 18001fc0c-18001fc44 call 1800142a0 679 18001fc46-18001fc4b 676->679 680 18001fc51 679->680 681 18001ff13-18001ff18 679->681 682 18001fe94-18001ff0e call 180012598 680->682 683 18001fc57-18001fc5c 680->683 684 180020169-1800201f9 call 1800190d4 681->684 685 18001ff1e-18001ff23 681->685 682->679 687 18001fc62-18001fc67 683->687 688 18001fde5-18001fe8f call 180012598 683->688 702 1800201fe-180020203 684->702 689 1800200b6-180020164 call 180012598 685->689 690 18001ff29-18001ff2e 685->690 695 18002020a-18002026b call 1800190d4 687->695 696 18001fc6d-18001fc72 687->696 688->679 689->679 698 1800200a1-1800200b1 call 1800014f8 690->698 699 18001ff34-18001ff39 690->699 711 180020270-180020291 695->711 706 18001fc78-18001fc7d 696->706 707 18001fd57-18001fde0 call 180012598 696->707 698->679 700 180020003-180020091 call 180021434 699->700 701 18001ff3f-18001ff44 699->701 700->711 723 180020097-18002009c 700->723 701->702 709 18001ff4a-18001fffe call 180012598 701->709 710 180020205 702->710 702->711 715 18001fc83-18001fc88 706->715 716 18001fd1f-18001fd52 706->716 707->679 709->679 710->679 715->702 720 18001fc8e-18001fd1a call 18001e938 715->720 716->679 720->679 723->679
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.383720280.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$,$2S=$i`}G
                                                                    • API String ID: 0-4285990414
                                                                    • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                    • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:55.8%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:11
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 162 25875c00000 163 25875c00183 162->163 164 25875c0043e VirtualAlloc 163->164 168 25875c00462 164->168 165 25875c00a7b 166 25875c00531 GetNativeSystemInfo 166->165 167 25875c0056d VirtualAlloc 166->167 172 25875c0058b 167->172 168->165 168->166 169 25875c00a00 169->165 170 25875c00a56 RtlAddFunctionTable 169->170 170->165 171 25875c009d9 VirtualProtect 171->172 172->169 172->171 172->172

                                                                    Callgraph

                                                                    • Executed
                                                                    • Not Executed
                                                                    • Opacity -> Relevance
                                                                    • Disassembly available
                                                                    callgraph 0 Function_0000025875C00AA8 1 Function_0000025875C00000 1->0

                                                                    Executed Functions

                                                                    Function 0000025875C00000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 25875c00000-25875c00460 call 25875c00aa8 * 2 VirtualAlloc 22 25875c0048a-25875c00494 0->22 23 25875c00462-25875c00466 0->23 26 25875c0049a-25875c0049e 22->26 27 25875c00a91-25875c00aa6 22->27 24 25875c00468-25875c00488 23->24 24->22 24->24 26->27 28 25875c004a4-25875c004a8 26->28 28->27 29 25875c004ae-25875c004b2 28->29 29->27 30 25875c004b8-25875c004bf 29->30 30->27 31 25875c004c5-25875c004d2 30->31 31->27 32 25875c004d8-25875c004e1 31->32 32->27 33 25875c004e7-25875c004f4 32->33 33->27 34 25875c004fa-25875c00507 33->34 35 25875c00509-25875c00511 34->35 36 25875c00531-25875c00567 GetNativeSystemInfo 34->36 37 25875c00513-25875c00518 35->37 36->27 38 25875c0056d-25875c00589 VirtualAlloc 36->38 39 25875c0051a-25875c0051f 37->39 40 25875c00521 37->40 41 25875c0058b-25875c0059e 38->41 42 25875c005a0-25875c005ac 38->42 43 25875c00523-25875c0052f 39->43 40->43 41->42 44 25875c005af-25875c005b2 42->44 43->36 43->37 45 25875c005c1-25875c005db 44->45 46 25875c005b4-25875c005bf 44->46 48 25875c0061b-25875c00622 45->48 49 25875c005dd-25875c005e2 45->49 46->44 51 25875c00628-25875c0062f 48->51 52 25875c006db-25875c006e2 48->52 50 25875c005e4-25875c005ea 49->50 53 25875c0060b-25875c00619 50->53 54 25875c005ec-25875c00609 50->54 51->52 55 25875c00635-25875c00642 51->55 56 25875c006e8-25875c006f9 52->56 57 25875c00864-25875c0086b 52->57 53->48 53->50 54->53 54->54 55->52 60 25875c00648-25875c0064f 55->60 61 25875c00702-25875c00705 56->61 58 25875c00871-25875c0087f 57->58 59 25875c00917-25875c00929 57->59 64 25875c0090e-25875c00911 58->64 62 25875c0092f-25875c00937 59->62 63 25875c00a07-25875c00a1a 59->63 65 25875c00654-25875c00658 60->65 66 25875c006fb-25875c006ff 61->66 67 25875c00707-25875c0070a 61->67 69 25875c0093b-25875c0093f 62->69 80 25875c00a1c-25875c00a27 63->80 81 25875c00a40-25875c00a4a 63->81 64->59 68 25875c00884-25875c008a9 64->68 70 25875c006c0-25875c006ca 65->70 66->61 71 25875c00788-25875c0078e 67->71 72 25875c0070c-25875c0071d 67->72 97 25875c008ab-25875c008b1 68->97 98 25875c00907-25875c0090c 68->98 76 25875c009ec-25875c009fa 69->76 77 25875c00945-25875c0095a 69->77 74 25875c0065a-25875c00669 70->74 75 25875c006cc-25875c006d2 70->75 73 25875c00794-25875c007a2 71->73 72->73 78 25875c0071f-25875c00720 72->78 82 25875c007a8 73->82 83 25875c0085d-25875c0085e 73->83 88 25875c0067a-25875c0067e 74->88 89 25875c0066b-25875c00678 74->89 75->65 84 25875c006d4-25875c006d5 75->84 76->69 90 25875c00a00-25875c00a01 76->90 86 25875c0097b-25875c0097d 77->86 87 25875c0095c-25875c0095e 77->87 91 25875c00722-25875c00784 78->91 93 25875c00a38-25875c00a3e 80->93 95 25875c00a7b-25875c00a8e 81->95 96 25875c00a4c-25875c00a54 81->96 94 25875c007ae-25875c007d4 82->94 83->57 84->52 102 25875c0097f-25875c00981 86->102 103 25875c009a2-25875c009a4 86->103 99 25875c0096e-25875c00979 87->99 100 25875c00960-25875c0096c 87->100 104 25875c0068c-25875c00690 88->104 105 25875c00680-25875c0068a 88->105 101 25875c006bd-25875c006be 89->101 90->63 91->91 92 25875c00786 91->92 92->73 93->81 112 25875c00a29-25875c00a35 93->112 131 25875c00835-25875c00839 94->131 132 25875c007d6-25875c007d9 94->132 95->27 96->95 113 25875c00a56-25875c00a79 RtlAddFunctionTable 96->113 110 25875c008bb-25875c008c8 97->110 111 25875c008b3-25875c008b9 97->111 98->64 114 25875c009be-25875c009bf 99->114 100->114 101->70 115 25875c00989-25875c0098b 102->115 116 25875c00983-25875c00987 102->116 108 25875c009ac-25875c009bb 103->108 109 25875c009a6-25875c009aa 103->109 106 25875c00692-25875c006a3 104->106 107 25875c006a5-25875c006a9 104->107 117 25875c006b6-25875c006ba 105->117 106->117 107->101 119 25875c006ab-25875c006b3 107->119 108->114 109->114 122 25875c008ca-25875c008d1 110->122 123 25875c008d3-25875c008e5 110->123 121 25875c008ea-25875c008fe 111->121 112->93 113->95 120 25875c009c5-25875c009cb 114->120 115->103 118 25875c0098d-25875c0098f 115->118 116->114 117->101 126 25875c00999-25875c009a0 118->126 127 25875c00991-25875c00997 118->127 119->117 128 25875c009d9-25875c009e9 VirtualProtect 120->128 129 25875c009cd-25875c009d3 120->129 121->98 139 25875c00900-25875c00905 121->139 122->122 122->123 123->121 126->120 127->114 128->76 129->128 133 25875c0083b 131->133 134 25875c00844-25875c00850 131->134 136 25875c007db-25875c007e1 132->136 137 25875c007e3-25875c007f0 132->137 133->134 134->94 138 25875c00856-25875c00857 134->138 140 25875c00812-25875c0082c 136->140 141 25875c007fb-25875c0080d 137->141 142 25875c007f2-25875c007f9 137->142 138->83 139->97 140->131 144 25875c0082e-25875c00833 140->144 141->140 142->141 142->142 144->132
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.474309308.0000025875C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025875C00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_25875c00000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: 3d20b5ab67288e7b4d9812cd2c59c877f5078ff9c24f82cdf948bd7ba583df25
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 1372F334519A488BEB68DF18CC897B9B7E1FB98301F61422DE89EE3241DF74D941CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:18.3%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:4.8%
                                                                    Total number of Nodes:83
                                                                    Total number of Limit Nodes:8
                                                                    execution_graph 3902 18001aca4 3907 18001ad22 3902->3907 3903 18001ba75 3907->3903 3908 180012b50 3907->3908 3911 18000a4fc 3907->3911 3914 18001cec4 3907->3914 3910 180012b8a 3908->3910 3909 180012bfb InternetOpenW 3909->3907 3910->3909 3913 18000a572 3911->3913 3912 18000a5f0 HttpOpenRequestW 3912->3907 3913->3912 3916 18001cf4a 3914->3916 3915 18001cfe2 InternetConnectW 3915->3907 3916->3915 3917 180015388 3920 1800227d4 3917->3920 3919 1800153e3 3924 18002281d 3920->3924 3922 180024315 3922->3919 3924->3922 3926 18001c05c 3924->3926 3930 18001c568 3924->3930 3937 180017908 3924->3937 3928 18001c0af 3926->3928 3929 18001c2e1 3928->3929 3941 18002ad58 3928->3941 3929->3924 3933 18001c58a 3930->3933 3932 18001c948 3932->3924 3933->3932 3948 180003598 3933->3948 3952 18000ac48 3933->3952 3956 180025dac 3933->3956 3960 1800097c0 3933->3960 3939 180017932 3937->3939 3938 180015e2c CreateThread 3938->3939 3939->3938 3940 180017bcd 3939->3940 3940->3924 3944 1800046a8 3941->3944 3943 18002ae38 3943->3928 3946 1800046ec 3944->3946 3945 180004982 3945->3943 3946->3945 3947 180004945 Process32FirstW 3946->3947 3947->3946 3950 180003640 3948->3950 3949 1800044c0 3949->3933 3950->3949 3964 18001ed50 3950->3964 3954 18000ac8e 3952->3954 3953 18000b5fe 3953->3933 3954->3953 3955 18001ed50 CreateFileW 3954->3955 3955->3954 3959 180025dde 3956->3959 3958 180026180 3958->3933 3959->3958 3971 180015e2c 3959->3971 3961 1800097fc 3960->3961 3962 18000981d 3961->3962 3963 18001ed50 CreateFileW 3961->3963 3962->3933 3963->3961 3966 18001ed7a 3964->3966 3967 18001f06b 3966->3967 3968 18000fb00 3966->3968 3967->3950 3970 18000fb80 3968->3970 3969 18000fc15 CreateFileW 3969->3966 3970->3969 3973 180015ea5 3971->3973 3972 180015f3b CreateThread 3972->3959 3973->3972 3974 180015e2c 3976 180015ea5 3974->3976 3975 180015f3b CreateThread 3976->3975 3998 18001496c 4001 1800149ce 3998->4001 3999 1800152ba 4000 18000fb00 CreateFileW 4000->4001 4001->3999 4001->4000 3977 180024d80 3979 180024eed 3977->3979 3978 1800250bd 3979->3978 3981 180019a30 3979->3981 3982 180019aa4 3981->3982 3983 180019b2a GetVolumeInformationW 3982->3983 3983->3978 3984 9e0000 3985 9e0183 3984->3985 3986 9e043e VirtualAlloc 3985->3986 3990 9e0462 3986->3990 3987 9e0a7b 3988 9e0531 GetNativeSystemInfo 3988->3987 3989 9e056d VirtualAlloc 3988->3989 3994 9e058b 3989->3994 3990->3987 3990->3988 3991 9e0a00 3991->3987 3992 9e0a56 RtlAddFunctionTable 3991->3992 3992->3987 3993 9e09d9 VirtualProtect 3993->3994 3994->3991 3994->3993 3994->3994 3995 18000fb00 3997 18000fb80 3995->3997 3996 18000fc15 CreateFileW 3997->3996

                                                                    Executed Functions

                                                                    Function 009E0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 9e0000-9e0460 call 9e0aa8 * 2 VirtualAlloc 22 9e048a-9e0494 0->22 23 9e0462-9e0466 0->23 26 9e049a-9e049e 22->26 27 9e0a91-9e0aa6 22->27 24 9e0468-9e0488 23->24 24->22 24->24 26->27 28 9e04a4-9e04a8 26->28 28->27 29 9e04ae-9e04b2 28->29 29->27 30 9e04b8-9e04bf 29->30 30->27 31 9e04c5-9e04d2 30->31 31->27 32 9e04d8-9e04e1 31->32 32->27 33 9e04e7-9e04f4 32->33 33->27 34 9e04fa-9e0507 33->34 35 9e0509-9e0511 34->35 36 9e0531-9e0567 GetNativeSystemInfo 34->36 37 9e0513-9e0518 35->37 36->27 38 9e056d-9e0589 VirtualAlloc 36->38 39 9e051a-9e051f 37->39 40 9e0521 37->40 41 9e058b-9e059e 38->41 42 9e05a0-9e05ac 38->42 43 9e0523-9e052f 39->43 40->43 41->42 44 9e05af-9e05b2 42->44 43->36 43->37 46 9e05b4-9e05bf 44->46 47 9e05c1-9e05db 44->47 46->44 48 9e05dd-9e05e2 47->48 49 9e061b-9e0622 47->49 52 9e05e4-9e05ea 48->52 50 9e06db-9e06e2 49->50 51 9e0628-9e062f 49->51 56 9e06e8-9e06f9 50->56 57 9e0864-9e086b 50->57 51->50 55 9e0635-9e0642 51->55 53 9e05ec-9e0609 52->53 54 9e060b-9e0619 52->54 53->53 53->54 54->49 54->52 55->50 60 9e0648-9e064f 55->60 61 9e0702-9e0705 56->61 58 9e0917-9e0929 57->58 59 9e0871-9e087f 57->59 62 9e092f-9e0937 58->62 63 9e0a07-9e0a1a 58->63 64 9e090e-9e0911 59->64 65 9e0654-9e0658 60->65 66 9e06fb-9e06ff 61->66 67 9e0707-9e070a 61->67 69 9e093b-9e093f 62->69 88 9e0a1c-9e0a27 63->88 89 9e0a40-9e0a4a 63->89 64->58 68 9e0884-9e08a9 64->68 70 9e06c0-9e06ca 65->70 66->61 71 9e070c-9e071d 67->71 72 9e0788-9e078e 67->72 95 9e08ab-9e08b1 68->95 96 9e0907-9e090c 68->96 75 9e09ec-9e09fa 69->75 76 9e0945-9e095a 69->76 73 9e06cc-9e06d2 70->73 74 9e065a-9e0669 70->74 77 9e071f-9e0720 71->77 78 9e0794-9e07a2 71->78 72->78 73->65 80 9e06d4-9e06d5 73->80 84 9e067a-9e067e 74->84 85 9e066b-9e0678 74->85 75->69 86 9e0a00-9e0a01 75->86 82 9e095c-9e095e 76->82 83 9e097b-9e097d 76->83 87 9e0722-9e0784 77->87 90 9e085d-9e085e 78->90 91 9e07a8 78->91 80->50 97 9e096e-9e0979 82->97 98 9e0960-9e096c 82->98 100 9e097f-9e0981 83->100 101 9e09a2-9e09a4 83->101 102 9e068c-9e0690 84->102 103 9e0680-9e068a 84->103 99 9e06bd-9e06be 85->99 86->63 87->87 104 9e0786 87->104 105 9e0a38-9e0a3e 88->105 93 9e0a4c-9e0a54 89->93 94 9e0a7b-9e0a8e 89->94 90->57 92 9e07ae-9e07d4 91->92 129 9e07d6-9e07d9 92->129 130 9e0835-9e0839 92->130 93->94 111 9e0a56-9e0a79 RtlAddFunctionTable 93->111 94->27 108 9e08bb-9e08c8 95->108 109 9e08b3-9e08b9 95->109 96->64 112 9e09be-9e09bf 97->112 98->112 99->70 113 9e0989-9e098b 100->113 114 9e0983-9e0987 100->114 106 9e09ac-9e09bb 101->106 107 9e09a6-9e09aa 101->107 116 9e06a5-9e06a9 102->116 117 9e0692-9e06a3 102->117 115 9e06b6-9e06ba 103->115 104->78 105->89 110 9e0a29-9e0a35 105->110 106->112 107->112 120 9e08ca-9e08d1 108->120 121 9e08d3-9e08e5 108->121 119 9e08ea-9e08fe 109->119 110->105 111->94 118 9e09c5-9e09cb 112->118 113->101 124 9e098d-9e098f 113->124 114->112 115->99 116->99 125 9e06ab-9e06b3 116->125 117->115 126 9e09cd-9e09d3 118->126 127 9e09d9-9e09e9 VirtualProtect 118->127 119->96 139 9e0900-9e0905 119->139 120->120 120->121 121->119 131 9e0999-9e09a0 124->131 132 9e0991-9e0997 124->132 125->115 126->127 127->75 134 9e07db-9e07e1 129->134 135 9e07e3-9e07f0 129->135 136 9e083b 130->136 137 9e0844-9e0850 130->137 131->118 132->112 140 9e0812-9e082c 134->140 141 9e07fb-9e080d 135->141 142 9e07f2-9e07f9 135->142 136->137 137->92 138 9e0856-9e0857 137->138 138->90 139->95 140->130 144 9e082e-9e0833 140->144 141->140 142->141 142->142 144->129
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759208596.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_9e0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: aed19e20113c5d16b616a8e7e07bd5a05b1cab5a346abaad623aeaedb7b1117a
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 4872D530618B8C8BDB29DF19C8856B9B7E1FB98305F10462DE8CBD7211DB74D986CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$Ec;$J$^c$^c$n
                                                                    • API String ID: 0-2929744921
                                                                    • Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                    • Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
                                                                    • Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                    • Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 634 1800132f0-18001332a 635 18001332c-180013331 634->635 636 1800136a3 635->636 637 180013337-18001333c 635->637 638 1800136a8-1800136ad 636->638 639 180013342-180013347 637->639 640 1800135f0-18001368c call 180021434 637->640 638->635 641 1800136b3-1800136b6 638->641 639->638 643 18001334d-1800133c6 call 18001a754 639->643 647 180013691-180013697 640->647 645 180013759-180013760 641->645 646 1800136bc-180013757 call 180013e28 641->646 649 1800133cb-1800133d0 643->649 651 180013763-18001377d 645->651 646->651 647->641 648 180013699-18001369e 647->648 652 1800135e2-1800135eb 648->652 649->646 653 1800133d6-1800133db 649->653 652->635 653->641 655 1800133e1-1800133e6 653->655 655->652 656 1800133ec-1800134a8 call 180021434 655->656 656->641 659 1800134ae-1800135dc call 180016428 call 180013e28 656->659 659->641 659->652
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5IF$P)#
                                                                    • API String ID: 0-1025399686
                                                                    • Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                    • Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
                                                                    • Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                    • Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 584 18001cec4-18001cf6a call 1800142a0 587 18001cfe2-18001d01f InternetConnectW 584->587 588 18001cf6c-18001cfdc call 18000dd70 584->588 588->587
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: :G?$C
                                                                    • API String ID: 3050416762-1225920220
                                                                    • Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                    • Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
                                                                    • Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                    • Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: gF\
                                                                    • API String ID: 823142352-1982329323
                                                                    • Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                    • Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
                                                                    • Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                    • Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpOpenRequest
                                                                    • String ID: :G?
                                                                    • API String ID: 1984915467-1508054202
                                                                    • Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                    • Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
                                                                    • Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                    • Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: :G?
                                                                    • API String ID: 2038078732-1508054202
                                                                    • Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                    • Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
                                                                    • Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                    • Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                    • Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
                                                                    • Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                    • Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.759708850.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InformationVolume
                                                                    • String ID:
                                                                    • API String ID: 2039140958-0
                                                                    • Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                    • Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
                                                                    • Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                    • Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%