Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S0Uj3iEhau

Overview

General Information

Sample Name:S0Uj3iEhau (renamed file extension from none to dll)
Analysis ID:626507
MD5:bfc8c2c291a541379642dcf219f78be4
SHA1:0e2d22f72f957fda57c7d0c4498103ee52413127
SHA256:ecf2a07b01738c05497f5ff5aef2a93622ec7bfc353a66357bad30a5898c1e21
Tags:exetrojan
Infos:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7052 cmdline: loaddll64.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7060 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7080 cmdline: rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 3244 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LBQDVFLViUyJtRNx\yIKZtRHMJ.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 7068 cmdline: regsvr32.exe /s C:\Users\user\Desktop\S0Uj3iEhau.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 7088 cmdline: rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7136 cmdline: rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 2756 cmdline: C:\Windows\system32\WerFault.exe -u -p 7136 -s 352 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • svchost.exe (PID: 5696 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 1448 cmdline: C:\Windows\system32\WerFault.exe -pss -s 468 -p 7136 -ip 7136 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • svchost.exe (PID: 6880 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6272 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3456 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4684 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000002.00000002.392808581.0000000002200000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.394351523.000001CB19B40000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000000.398789542.000001B259EF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.19190a20000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              5.0.rundll32.exe.1b259ef0000.4.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.rundll32.exe.19190a20000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  5.0.rundll32.exe.1b259ef0000.1.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.rundll32.exe.1cb19b40000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 9 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: S0Uj3iEhau.dllVirustotal: Detection: 29%Perma Link
                      Antivirus detection for URL or domain
                      Source: https://23.239.0.12/SAvira URL Cloud: Label: malware
                      Source: https://23.239.0.12/GAvira URL Cloud: Label: malware
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49775 version: TLS 1.2
                      Source: S0Uj3iEhau.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: rundll32.exe, 00000005.00000000.399964207.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.422370885.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896556076.00000000006F4000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: rundll32.exe, 00000005.00000000.399964207.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.422370885.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896556076.00000000006F4000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,6_2_000000018000D26C

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: cahxzYwrtATNSc=odbaSRoO+1g54WcgrhilL8OvjcPdBesD2Bt1m1jd5PVE0k7umvm3s+bMyB7g7Vy6cnIXcclpG3CxaZ0hzEaErtwGUZdayFpFmi1EvmEDIWzrSuIZIleNJqdsxehawsdQ2nAnbUdO/9Zj0RPuBnLvCMvxT90UXMNP29EcMTv574Ho9vYsRl8pPSrqt+rUszkPMOl5zwZmUyCemJ4dH7km7bbgZt6tX5nVna8AO1f8odSOFA9v+LGfS40ndEbeOYcHqSg30/HnHost: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.239.0.12 23.239.0.12
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.239.0.12
                      Source: svchost.exe, 0000001A.00000003.660289425.000001E454F72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
                      Source: svchost.exe, 0000001A.00000003.660289425.000001E454F72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
                      Source: svchost.exe, 0000001A.00000003.660289425.000001E454F72000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.660315676.000001E454F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: svchost.exe, 0000001A.00000003.660289425.000001E454F72000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.660315676.000001E454F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z||.||8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f||1152921505694830749||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
                      Source: regsvr32.exe, 00000006.00000003.461339030.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896731162.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.708736972.000001E454F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 0000001A.00000002.708603813.000001E4546E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: regsvr32.exe, 00000006.00000003.461828194.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896656918.0000000000AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/
                      Source: regsvr32.exe, 00000006.00000003.461828194.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896656918.0000000000AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/G
                      Source: regsvr32.exe, 00000006.00000003.461828194.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896656918.0000000000AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://23.239.0.12/S
                      Source: svchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: svchost.exe, 0000001A.00000003.675064224.000001E455419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674852800.000001E454F9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674900463.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675004497.000001E454F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675019252.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674883833.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674928201.000001E455403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: svchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: svchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: svchost.exe, 0000001A.00000003.675064224.000001E455419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674852800.000001E454F9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674900463.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675004497.000001E454F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675019252.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674883833.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674928201.000001E455403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: svchost.exe, 0000001A.00000003.675064224.000001E455419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674852800.000001E454F9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674900463.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675004497.000001E454F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675019252.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674883833.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674928201.000001E455403000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: svchost.exe, 0000001A.00000003.683825518.000001E454F8C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683920479.000001E455418000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683981167.000001E454F8C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683956652.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683936216.000001E455418000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683837282.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.684018548.000001E454FAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,6_2_00000001800132F0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Cookie: cahxzYwrtATNSc=odbaSRoO+1g54WcgrhilL8OvjcPdBesD2Bt1m1jd5PVE0k7umvm3s+bMyB7g7Vy6cnIXcclpG3CxaZ0hzEaErtwGUZdayFpFmi1EvmEDIWzrSuIZIleNJqdsxehawsdQ2nAnbUdO/9Zj0RPuBnLvCMvxT90UXMNP29EcMTv574Ho9vYsRl8pPSrqt+rUszkPMOl5zwZmUyCemJ4dH7km7bbgZt6tX5nVna8AO1f8odSOFA9v+LGfS40ndEbeOYcHqSg30/HnHost: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49775 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 3.2.rundll32.exe.19190a20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.19190a20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1cb19b40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1cb19b40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b259ef0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b259ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.392808581.0000000002200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.394351523.000001CB19B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.398789542.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.396970138.0000019190A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.398502439.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.896847127.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.422319159.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.422611514.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.399522302.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.396212398.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.400744987.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 7136 -ip 7136
                      Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\System32\LBQDVFLViUyJtRNx\yIKZtRHMJ.dll:Zone.IdentifierJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\YwoBR\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081FCA02_2_00007FFF3081FCA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081B5CC2_2_00007FFF3081B5CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081AA0C2_2_00007FFF3081AA0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081895C2_2_00007FFF3081895C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF308159442_2_00007FFF30815944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081E6C02_2_00007FFF3081E6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF30816F0C2_2_00007FFF30816F0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081AF702_2_00007FFF3081AF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081A77C2_2_00007FFF3081A77C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081EB602_2_00007FFF3081EB60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081FB6C2_2_00007FFF3081FB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00BD00002_2_00BD0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180010FF42_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180028C202_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C0582_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800091002_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C9642_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C6082_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800216182_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E3AC2_2_000000018001E3AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DBE82_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FC0C2_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000580C2_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800220102_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001481C2_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A42C2_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800118342_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800238312_2_0000000180023831
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180021C3C2_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000703C2_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000AC482_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000FC482_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800064582_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001C05C2_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001A4602_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800298882_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D49C2_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008CA02_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800248A82_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180015CB02_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800124B42_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000C4B42_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800288B82_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800024B82_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000D8C42_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800250CC2_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800190D42_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017CE42_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800264F02_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800014F82_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180020CFC2_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C9042_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800179082_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800215102_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9172_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000551C2_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F1282_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001CD382_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180016D3C2_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F9442_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800181482_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001ED502_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800131502_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001D9502_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001E9602_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019D602_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001D682_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001496C2_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180002D702_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800021782_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180024D802_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800185982_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800035982_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002A9A82_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800119A82_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180025DAC2_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180018DAC2_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800269B02_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800059B82_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800029BC2_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800141C02_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800125C42_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800121CC2_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BDD02_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800075D42_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800095DC2_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F9E82_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800026102_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800196182_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180013E282_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001FA382_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A2702_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019E782_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DA802_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800246982_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000EE982_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800176B82_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AAB82_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180011AD02_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180008AD82_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800296EC2_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000A6EC2_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800132F02_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800193002_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BB042_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002870C2_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180026B102_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000131C2_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000671C2_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180029B282_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180012F282_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000BB282_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001EB302_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800203342_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800107582_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001435C2_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180009F5C2_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800293682_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800207682_2_0000000180020768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800173782_2_0000000180017378
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800137802_2_0000000180013780
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800153882_2_0000000180015388
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000338C2_2_000000018000338C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000738C2_2_000000018000738C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800027902_2_0000000180002790
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180027F9C2_2_0000000180027F9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800197A02_2_00000001800197A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018002C7B42_2_000000018002C7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001DFB42_2_000000018001DFB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001F7C02_2_000000018001F7C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800097C02_2_00000001800097C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800157D82_2_00000001800157D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180019FDC2_2_0000000180019FDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180017BDC2_2_0000000180017BDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018000F7E02_2_000000018000F7E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180001FE02_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180010FF43_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180028C203_2_0000000180028C20
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C0583_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800091003_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800079583_2_0000000180007958
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C6083_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800216183_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180013E283_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E3AC3_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DBE83_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FC0C3_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000580C3_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800220103_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001481C3_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A42C3_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800118343_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800238313_2_0000000180023831
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021C3C3_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000703C3_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000AC483_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000FC483_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800064583_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C05C3_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001A4603_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800298883_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D49C3_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008CA03_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800248A83_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180015CB03_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800124B43_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000C4B43_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800288B83_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800024B83_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000D8C43_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800250CC3_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800190D43_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017CE43_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800264F03_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800014F83_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020CFC3_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C9043_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800179083_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800215103_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9173_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000551C3_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F1283_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CD383_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180016D3C3_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F9443_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800181483_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D9503_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800131503_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001ED503_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E9603_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019D603_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C9643_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001D683_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001496C3_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002D703_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800021783_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024D803_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800185983_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800035983_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002A9A83_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800119A83_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180025DAC3_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180018DAC3_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800269B03_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800059B83_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800029BC3_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800141C03_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800125C43_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800121CC3_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800075D43_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800095DC3_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F9E83_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800026103_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800196183_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FA383_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A2703_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019E783_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DA803_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800246983_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000EE983_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800176B83_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AAB83_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180011AD03_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180008AD83_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800296EC3_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000A6EC3_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800132F03_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800193003_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BB043_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002870C3_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180026B103_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000131C3_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000671C3_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180029B283_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180012F283_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000BB283_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EB303_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800203343_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800107583_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001435C3_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180009F5C3_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800293683_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800207683_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800173783_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800137803_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800153883_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000338C3_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000738C3_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800027903_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180027F9C3_2_0000000180027F9C
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800197A03_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C7B43_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DFB43_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F7C03_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800097C03_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800157D83_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180019FDC3_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180017BDC3_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000F7E03_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001FE03_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000191906B00003_2_00000191906B0000
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180010FF44_2_0000000180010FF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C0584_2_000000018002C058
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800091004_2_0000000180009100
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C6084_2_000000018000C608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800216184_2_0000000180021618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E3AC4_2_000000018001E3AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DBE84_2_000000018001DBE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FC0C4_2_000000018001FC0C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000580C4_2_000000018000580C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800220104_2_0000000180022010
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001481C4_2_000000018001481C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A42C4_2_000000018002A42C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800118344_2_0000000180011834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180021C3C4_2_0000000180021C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000703C4_2_000000018000703C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000AC484_2_000000018000AC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000FC484_2_000000018000FC48
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800064584_2_0000000180006458
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C05C4_2_000000018001C05C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001A4604_2_000000018001A460
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800298884_2_0000000180029888
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D49C4_2_000000018001D49C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008CA04_2_0000000180008CA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800248A84_2_00000001800248A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180015CB04_2_0000000180015CB0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800124B44_2_00000001800124B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000C4B44_2_000000018000C4B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800288B84_2_00000001800288B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800024B84_2_00000001800024B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000D8C44_2_000000018000D8C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800250CC4_2_00000001800250CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800190D44_2_00000001800190D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017CE44_2_0000000180017CE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800264F04_2_00000001800264F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800014F84_2_00000001800014F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180020CFC4_2_0000000180020CFC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C9044_2_000000018002C904
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800179084_2_0000000180017908
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800215104_2_0000000180021510
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9174_2_000000018000F917
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000551C4_2_000000018000551C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F1284_2_000000018000F128
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001CD384_2_000000018001CD38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180016D3C4_2_0000000180016D3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F9444_2_000000018001F944
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800181484_2_0000000180018148
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001ED504_2_000000018001ED50
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800131504_2_0000000180013150
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001D9504_2_000000018001D950
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001E9604_2_000000018001E960
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019D604_2_0000000180019D60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001C9644_2_000000018001C964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001D684_2_0000000180001D68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001496C4_2_000000018001496C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180002D704_2_0000000180002D70
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800021784_2_0000000180002178
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180024D804_2_0000000180024D80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800185984_2_0000000180018598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800035984_2_0000000180003598
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002A9A84_2_000000018002A9A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800119A84_2_00000001800119A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180025DAC4_2_0000000180025DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180018DAC4_2_0000000180018DAC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800269B04_2_00000001800269B0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800059B84_2_00000001800059B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800029BC4_2_00000001800029BC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800141C04_2_00000001800141C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800125C44_2_00000001800125C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800121CC4_2_00000001800121CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800075D44_2_00000001800075D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800095DC4_2_00000001800095DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F9E84_2_000000018000F9E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800026104_2_0000000180002610
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800196184_2_0000000180019618
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180013E284_2_0000000180013E28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001FA384_2_000000018001FA38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A2704_2_000000018000A270
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019E784_2_0000000180019E78
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DA804_2_000000018001DA80
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800246984_2_0000000180024698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000EE984_2_000000018000EE98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800176B84_2_00000001800176B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AAB84_2_000000018001AAB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180011AD04_2_0000000180011AD0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180008AD84_2_0000000180008AD8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800296EC4_2_00000001800296EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000A6EC4_2_000000018000A6EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800132F04_2_00000001800132F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800193004_2_0000000180019300
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BB044_2_000000018001BB04
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002870C4_2_000000018002870C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180026B104_2_0000000180026B10
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000131C4_2_000000018000131C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000671C4_2_000000018000671C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180029B284_2_0000000180029B28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180012F284_2_0000000180012F28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000BB284_2_000000018000BB28
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001EB304_2_000000018001EB30
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800203344_2_0000000180020334
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800107584_2_0000000180010758
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001435C4_2_000000018001435C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180009F5C4_2_0000000180009F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800293684_2_0000000180029368
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800207684_2_0000000180020768
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800173784_2_0000000180017378
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800137804_2_0000000180013780
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800153884_2_0000000180015388
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000338C4_2_000000018000338C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000738C4_2_000000018000738C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800027904_2_0000000180002790
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800197A04_2_00000001800197A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018002C7B44_2_000000018002C7B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001DFB44_2_000000018001DFB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001F7C04_2_000000018001F7C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800097C04_2_00000001800097C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800157D84_2_00000001800157D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180019FDC4_2_0000000180019FDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180017BDC4_2_0000000180017BDC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018000F7E04_2_000000018000F7E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180001FE04_2_0000000180001FE0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001CB182600004_2_000001CB18260000
                      Source: C:\Windows\System32\rundll32.exeCode function: 5_2_000001B2585600005_2_000001B258560000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00B900006_2_00B90000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180010FF46_2_0000000180010FF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180028C206_2_0000000180028C20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C0586_2_000000018002C058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ACA46_2_000000018001ACA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000551C6_2_000000018000551C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800181486_2_0000000180018148
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000E1E06_2_000000018000E1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C6086_2_000000018000C608
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800216186_2_0000000180021618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180013E286_2_0000000180013E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002AE446_2_000000018002AE44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C6_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800252786_2_0000000180025278
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000EE986_2_000000018000EE98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A86_2_00000001800046A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004ACA6_2_0000000180004ACA
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800132F06_2_00000001800132F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180026B106_2_0000000180026B10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DBE86_2_000000018001DBE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FC0C6_2_000000018001FC0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000580C6_2_000000018000580C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800220106_2_0000000180022010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001481C6_2_000000018001481C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A42C6_2_000000018002A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800118346_2_0000000180011834
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180021C3C6_2_0000000180021C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000703C6_2_000000018000703C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000AC486_2_000000018000AC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000FC486_2_000000018000FC48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800244586_2_0000000180024458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800064586_2_0000000180006458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C05C6_2_000000018001C05C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001A4606_2_000000018001A460
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800298886_2_0000000180029888
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D49C6_2_000000018001D49C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008CA06_2_0000000180008CA0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800248A86_2_00000001800248A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180015CB06_2_0000000180015CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800124B46_2_00000001800124B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000C4B46_2_000000018000C4B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800288B86_2_00000001800288B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800024B86_2_00000001800024B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D8C46_2_000000018000D8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800250CC6_2_00000001800250CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800190D46_2_00000001800190D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180017CE46_2_0000000180017CE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800264F06_2_00000001800264F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800014F86_2_00000001800014F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180020CFC6_2_0000000180020CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800091006_2_0000000180009100
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002C9046_2_000000018002C904
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800179086_2_0000000180017908
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800215106_2_0000000180021510
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F9176_2_000000018000F917
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F1286_2_000000018000F128
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001CD386_2_000000018001CD38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180016D3C6_2_0000000180016D3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F9446_2_000000018001F944
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001D9506_2_000000018001D950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800131506_2_0000000180013150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001ED506_2_000000018001ED50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001E9606_2_000000018001E960
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019D606_2_0000000180019D60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C9646_2_000000018001C964
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001C5686_2_000000018001C568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180001D686_2_0000000180001D68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001496C6_2_000000018001496C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180002D706_2_0000000180002D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800245746_2_0000000180024574
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800021786_2_0000000180002178
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180024D806_2_0000000180024D80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800185986_2_0000000180018598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800035986_2_0000000180003598
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001F1A46_2_000000018001F1A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002A9A86_2_000000018002A9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800119A86_2_00000001800119A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180025DAC6_2_0000000180025DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180018DAC6_2_0000000180018DAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800269B06_2_00000001800269B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800059B86_2_00000001800059B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800029BC6_2_00000001800029BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800141C06_2_00000001800141C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800125C46_2_00000001800125C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800121CC6_2_00000001800121CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BDD06_2_000000018000BDD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800075D46_2_00000001800075D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800095DC6_2_00000001800095DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000F9E86_2_000000018000F9E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800026106_2_0000000180002610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800196186_2_0000000180019618
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001FA386_2_000000018001FA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A2706_2_000000018000A270
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180019E786_2_0000000180019E78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001DA806_2_000000018001DA80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800246986_2_0000000180024698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800176B86_2_00000001800176B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001AAB86_2_000000018001AAB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002CAD06_2_000000018002CAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180011AD06_2_0000000180011AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180008AD86_2_0000000180008AD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800296EC6_2_00000001800296EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000A6EC6_2_000000018000A6EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800193006_2_0000000180019300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001BB046_2_000000018001BB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018002870C6_2_000000018002870C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000131C6_2_000000018000131C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000671C6_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180029B286_2_0000000180029B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180012F286_2_0000000180012F28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000BB286_2_000000018000BB28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001EB306_2_000000018001EB30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800203346_2_0000000180020334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800107586_2_0000000180010758
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018001435C6_2_000000018001435C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180009F5C6_2_0000000180009F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800293686_2_0000000180029368
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: S0Uj3iEhau.dllVirustotal: Detection: 29%
                      Source: S0Uj3iEhau.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\S0Uj3iEhau.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllUnregisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LBQDVFLViUyJtRNx\yIKZtRHMJ.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 7136 -ip 7136
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7136 -s 352
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\S0Uj3iEhau.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllUnregisterServerJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LBQDVFLViUyJtRNx\yIKZtRHMJ.dll"Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 7136 -ip 7136Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7136 -s 352Jump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
                      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER409.tmpJump to behavior
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@24/6@0/2
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,6_2_00000001800046A8
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1
                      Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1448:120:WilError_01
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7136
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: S0Uj3iEhau.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: S0Uj3iEhau.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: msacm32.pdb source: rundll32.exe, 00000005.00000000.399964207.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.422370885.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896556076.00000000006F4000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: msacm32.pdbGCTL source: rundll32.exe, 00000005.00000000.399964207.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.422370885.0000008DD2476000.00000004.00000010.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896556076.00000000006F4000.00000004.00000010.00020000.00000000.sdmp
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AFFD push ebp; retf 2_2_000000018001AFFE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00000001800051D1 push ebp; iretd 2_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BA32 push ebp; retf 2_2_000000018001BA33
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180004E83 push es; ret 2_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B694 push es; ret 2_2_000000018001B6E9
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001BADD push ebp; iretd 2_2_000000018001BADE
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001B717 push ebp; iretd 2_2_000000018001B718
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_0000000180007B3F push esp; retf 2_2_0000000180007B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_000000018001AF4E push ebp; retf 2_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AFFD push ebp; retf 3_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800051D1 push ebp; iretd 3_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BA32 push ebp; retf 3_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180004E83 push es; ret 3_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B694 push es; ret 3_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001BADD push ebp; iretd 3_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001B717 push ebp; iretd 3_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001AF4E push ebp; retf 3_2_000000018001AF4F
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AFFD push ebp; retf 4_2_000000018001AFFE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00000001800051D1 push ebp; iretd 4_2_00000001800051D2
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BA32 push ebp; retf 4_2_000000018001BA33
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180004E83 push es; ret 4_2_0000000180004E84
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B694 push es; ret 4_2_000000018001B6E9
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001BADD push ebp; iretd 4_2_000000018001BADE
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001B717 push ebp; iretd 4_2_000000018001B718
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000000180007B3F push esp; retf 4_2_0000000180007B40
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000000018001AF4E push ebp; retf 4_2_000000018001AF4F
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00000001800051D1 push ebp; iretd 6_2_00000001800051D2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180004E83 push es; ret 6_2_0000000180004E84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0000000180007B3F push esp; retf 6_2_0000000180007B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081D0B8 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_00007FFF3081D0B8
                      Source: S0Uj3iEhau.dllStatic PE information: real checksum: 0x85ab6 should be: 0x855f7
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\S0Uj3iEhau.dll
                      Source: C:\Windows\System32\rundll32.exePE file moved: C:\Windows\System32\LBQDVFLViUyJtRNx\yIKZtRHMJ.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\YwoBR\GCMFZ.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\LBQDVFLViUyJtRNx\yIKZtRHMJ.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\system32\HRMrOlGPavZxy\grVhsC.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 4240Thread sleep time: -90000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-9996
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,6_2_000000018000D26C
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end nodegraph_2-9997
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: svchost.exe, 0000001A.00000002.708427364.000001E454681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.704114148.000001E454681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                      Source: regsvr32.exe, 00000006.00000002.896709869.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.461881485.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.461966192.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896678108.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.461828194.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.708603813.000001E4546E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000F.00000002.896650730.0000014F78E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000001A.00000002.708603813.000001E4546E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn-WFP Native MAC Layer LightWeight Filter-0000
                      Source: svchost.exe, 0000000F.00000002.896686703.0000014F78E28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF308120E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFF308120E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081D0B8 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_00007FFF3081D0B8
                      Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF308120E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFF308120E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF30816550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFF30816550
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081D318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFF3081D318

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 23.239.0.12 443Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 7136 -ip 7136Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7136 -s 352Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFF3081C8C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFF3081C834
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_00007FFF3081C450
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FFF3081E1E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,2_2_00007FFF3081C934
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,2_2_00007FFF3081C16C
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FFF3081C2B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: _getptd,GetLocaleInfoA,2_2_00007FFF3081C6E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,2_2_00007FFF3081C7F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FFF3081DF3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,2_2_00007FFF3081DF20
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,2_2_00007FFF3081DF98
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,2_2_00007FFF3081C39C
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF30814558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00007FFF30814558
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_00007FFF3081E6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00007FFF3081E6C0

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 3.2.rundll32.exe.19190a20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.19190a20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1cb19b40000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1cb19b40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.1b259ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b259ef0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.1b259ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.2200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.392808581.0000000002200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.394351523.000001CB19B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.398789542.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.396970138.0000019190A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.398502439.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.896847127.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.422319159.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.422611514.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.399522302.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.396212398.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.400744987.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		2
                      Masquerading                      		OS Credential Dumping2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium11
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		2
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Query Registry                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager21
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Hidden Files and Directories                      		NTDS2
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled Transfer2
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets2
                      Process Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Regsvr32                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Rundll32                      		DCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem24
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      File Deletion                      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 626507 Sample: S0Uj3iEhau Startdate: 14/05/2022 Architecture: WINDOWS Score: 76 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Emotet 2->45 8 loaddll64.exe 1 2->8         started        10 svchost.exe 4 2->10         started        12 svchost.exe 2->12         started        14 4 other processes 2->14 process3 process4 16 cmd.exe 1 8->16         started        18 rundll32.exe 2 8->18         started        21 regsvr32.exe 2 8->21         started        23 rundll32.exe 8->23         started        25 WerFault.exe 10->25         started        signatures5 27 rundll32.exe 2 16->27         started        47 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->47 30 WerFault.exe 20 9 23->30         started        process6 dnsIp7 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->51 33 regsvr32.exe 27->33         started        39 192.168.2.1 unknown unknown 30->39 signatures8 process9 dnsIp10 37 23.239.0.12, 443, 49775 LINODE-APLinodeLLCUS United States 33->37 49 System process connects to network (likely due to code injection or exploit) 33->49 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      S0Uj3iEhau.dll30%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.rundll32.exe.1b259ef0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.0.rundll32.exe.1b259ef0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.0.rundll32.exe.1b259ef0000.4.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.1cb19b40000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      6.2.regsvr32.exe.bd0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.19190a20000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      2.2.regsvr32.exe.2200000.0.unpack100%AviraHEUR/AGEN.1215493Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      https://23.239.0.12/S100%Avira URL Cloudmalware
                      https://23.239.0.12/0%URL Reputationsafe
                      https://23.239.0.12/G100%Avira URL Cloudmalware
                      http://help.disneyplus.com.0%URL Reputationsafe
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://23.239.0.12/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ver)svchost.exe, 0000001A.00000002.708603813.000001E4546E9000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001A.00000003.683825518.000001E454F8C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683920479.000001E455418000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683981167.000001E454F8C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683956652.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683936216.000001E455418000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.683837282.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.684018548.000001E454FAE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://23.239.0.12/Sregsvr32.exe, 00000006.00000003.461828194.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896656918.0000000000AD2000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://23.239.0.12/Gregsvr32.exe, 00000006.00000003.461828194.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.896656918.0000000000AD2000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://help.disneyplus.com.svchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://support.hotspotshield.com/svchost.exe, 0000001A.00000003.675064224.000001E455419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674852800.000001E454F9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674900463.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675004497.000001E454F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675019252.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674883833.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674928201.000001E455403000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.hotspotshield.com/terms/svchost.exe, 0000001A.00000003.675064224.000001E455419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674852800.000001E454F9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674900463.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675004497.000001E454F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675019252.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674883833.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674928201.000001E455403000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.pango.co/privacysvchost.exe, 0000001A.00000003.675064224.000001E455419000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674852800.000001E454F9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674900463.000001E455402000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675004497.000001E454F8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.675019252.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674883833.000001E454FAC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.674928201.000001E455403000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://disneyplus.com/legal.svchost.exe, 0000001A.00000003.679134823.000001E454FAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679064066.000001E454F9D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.679042895.000001E454F8C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          23.239.0.12
                          		unknownUnited States
                          		63949LINODE-APLinodeLLCUStrue

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:626507
                          Start date and time: 14/05/202205:13:292022-05-14 05:13:29 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 55s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:S0Uj3iEhau (renamed file extension from none to dll)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:28
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal76.troj.evad.winDLL@24/6@0/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 42
                          • Number of non-executed functions: 195
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for rundll32

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.6.115, 20.42.65.92, 20.223.24.244
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          05:15:05API Interceptor1x Sleep call for process: WerFault.exe modified
                          05:16:57API Interceptor8x Sleep call for process: svchost.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          23.239.0.121V4gPPcQvB.dllGet hashmaliciousBrowse
                            1Klocu2k7B.dllGet hashmaliciousBrowse
                              vur7t4SumQ.dllGet hashmaliciousBrowse
                                auExrOTnvB.dllGet hashmaliciousBrowse
                                  PvaOeKqrBs.dllGet hashmaliciousBrowse
                                    1V4gPPcQvB.dllGet hashmaliciousBrowse
                                      Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                        2V7zjcga5L.dllGet hashmaliciousBrowse
                                          vur7t4SumQ.dllGet hashmaliciousBrowse
                                            3j6e3XaMWM.dllGet hashmaliciousBrowse
                                              wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                r0hiaXHscs.dllGet hashmaliciousBrowse
                                                  TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                    Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                      2V7zjcga5L.dllGet hashmaliciousBrowse
                                                        RuqTBW6t32.dllGet hashmaliciousBrowse
                                                          yj81rxDZIp.dllGet hashmaliciousBrowse
                                                            3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                              wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                r0hiaXHscs.dllGet hashmaliciousBrowse

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  LINODE-APLinodeLLCUS1V4gPPcQvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  1Klocu2k7B.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  vur7t4SumQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  auExrOTnvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  PvaOeKqrBs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  1V4gPPcQvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  vur7t4SumQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  51c64c77e60f3980eea90869b68c58a81V4gPPcQvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  1Klocu2k7B.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  vur7t4SumQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  auExrOTnvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  PvaOeKqrBs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  1V4gPPcQvB.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  vur7t4SumQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  TSvDnT6fkE.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  Plt3z2W7KQ.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  2V7zjcga5L.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  RuqTBW6t32.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  yj81rxDZIp.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  3j6e3XaMWM.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  wgJ5YjI2QO.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12
                                                                  r0hiaXHscs.dllGet hashmaliciousBrowse
                                                                  • 23.239.0.12

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_S0U_624f1bf42cf3970c0bbbc2316f5a353e1dba16_e01ee71e_0afa0dae\Report.wer

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):0.7851412003281448
                                                                  Encrypted:false
                                                                  SSDEEP:96:PiFHYl6EiwJPnyRjf55oX7R16tpXIQcQE7c6EPrcEYcw3uhXaXz+HbHgSQgJPbeG:KS9iwJKpHK7gPri4jA9/u7suS274ltO
                                                                  MD5:749560FBBB20D1CAA47BCC3111C57C19
                                                                  SHA1:32EE9753118636B2114F146DB0CD3FE424E52221
                                                                  SHA-256:6F5021FEE9D6ABA74A54B748841062DB3D0F9281105F92B81925454F44A4CC8D
                                                                  SHA-512:2CEA4CFDBCA07778151E0C885BFAF7624D033C0CCEE5557AA1FDA12A9D415F33232FD116C29B1626193B1DCEAE47B03A2A9074B7FB68D432D91974B8E029DA1D
                                                                  Malicious:false
                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.0.0.4.0.9.7.4.6.8.4.3.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.0.0.4.1.0.4.0.3.0.8.9.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.3.e.4.1.d.6.-.3.e.a.e.-.4.e.f.9.-.8.0.4.a.-.6.4.6.a.a.5.c.4.1.3.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.2.9.f.c.d.9.-.6.a.3.0.-.4.f.8.4.-.9.4.3.7.-.4.b.7.c.e.6.f.9.d.a.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.S.0.U.j.3.i.E.h.a.u...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.0.-.0.0.0.1.-.0.0.1.8.-.9.2.b.0.-.0.1.3.5.8.c.6.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B3.tmp.xml

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4892
                                                                  Entropy (8bit):4.498279905921788
                                                                  Encrypted:false
                                                                  SSDEEP:48:cvIwSD8zsPJgtBI9l5Wgc8sqYjQ8fm8M4JCOChinFfyq8vhhi2ZESC5Snd:uITfx/IgrsqYJJDW3Vvnd
                                                                  MD5:A24B5B8A26C562F4940969BD0E4A5013
                                                                  SHA1:A24A32739C9EA8676AEEDF9C53654A85C8776902
                                                                  SHA-256:2B99118831A0F3221CADB50E03B62C479F6DDCF403AAF62D22F331B987526B83
                                                                  SHA-512:30B52E73C7CE6CACF83A558F0D16E14480F67B69140E5E450D1A2C1E211DBF5918322325E6C7FA8E48999F177239FFFD98CEB7DF17F5B3438CD15B09CF2DAFA7
                                                                  Malicious:false
                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1514725" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER409.tmp.csv

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):52122
                                                                  Entropy (8bit):3.0518159896500996
                                                                  Encrypted:false
                                                                  SSDEEP:1536:PpH9ZtzpRZYShw9KNmO4Tist4o9wG0lzNVVj60:PpH9ZtzpRZYShw9KNmOWist4o9wG0lzl
                                                                  MD5:E77B7E8AD0FA6D47496222C4580609F5
                                                                  SHA1:748AA1B14179B6C401B9DDC39E1329E9601D7E21
                                                                  SHA-256:E003592328ADD6EE76B34E28F0BEFB34ACFD3FA11B1A8BAB37B3041D6884D894
                                                                  SHA-512:E26D9E426E808F69CC850567E2177A9C99A2202E8305D86237C51EACB0F622FC2B45F88A447ECEDF760D2C8EACA8D729AEED106DFBCE5AF166565BEC81B01C28
                                                                  Malicious:false
                                                                  Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER65C.tmp.txt

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):13340
                                                                  Entropy (8bit):2.696931585428716
                                                                  Encrypted:false
                                                                  SSDEEP:96:kiZYW3QwvgyAYf3YPWuWHmYEZIGtFiReBPSwV7joYaBYEz3NwFenId+3:hZD3QjW3I+YNa+ExwFPd+3
                                                                  MD5:A7EE73055DF68D11625D0E7904C8457B
                                                                  SHA1:9589CB7B2C27B8ADC682965F6A4AD4AEC41D2496
                                                                  SHA-256:FF1A630891261AC0ADC65C2CE90A4312EA4BECD9F0F8182DFABC3E95B1A74B3C
                                                                  SHA-512:177B2D7E754D0F2B5C15AC17EA4EE0E5899BCECFDD0ADD13A3D467F4380418E94C93C7378CD7770D52BA4060BB093B5098A771CF8C8D6877B33AB73B3E01104D
                                                                  Malicious:false
                                                                  Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE20.tmp.dmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:Mini DuMP crash report, 15 streams, Sat May 14 12:14:58 2022, 0x1205a4 type
                                                                  Category:dropped
                                                                  Size (bytes):61830
                                                                  Entropy (8bit):2.3644025683441177
                                                                  Encrypted:false
                                                                  SSDEEP:384:tgvroVmxZCIrBErIMyq7QEtqz0feXOVuG:LkzCIrSxyeNtqz0W6
                                                                  MD5:8758E8F7AA056EEDDC4065A4AD74E9F1
                                                                  SHA1:E348D8D7ACCC99DB2AF812DAAAC1E1F2AE659BF4
                                                                  SHA-256:1DF0FB7CD3DC7806B05979203E3287536C07E412475E0C43BAFF6049BC068147
                                                                  SHA-512:F8D1037F33A2FD8A6219BB6ACB4F3D49DB25475CA563769134492FD133EB5BCFAD5AA479932509DE0C522FFDE06970356AF8A699BE9597F0FB3FFBC20FBCC711
                                                                  Malicious:false
                                                                  Preview:MDMP....... .......B..b....................................|...8.......D...L;..........`.......8...........T...........X................"...........$...................................................................U...........B......8%......Lw.....................T...........8..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF620.tmp.WERInternalMetadata.xml

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):6664
                                                                  Entropy (8bit):3.715853742175434
                                                                  Encrypted:false
                                                                  SSDEEP:192:Rrl7r3GLNimjSjcVnMPI3kYsYS0VCprNQ89beejrfu8km:RrlsNioSjcdMAUYsYS0q/Pfd
                                                                  MD5:9390499B0E4BD6DE64802293AFCD7E2B
                                                                  SHA1:7E606768C181B57E5EEBF8078AC526CD2AF0C044
                                                                  SHA-256:3A12533604051DBBC72545EB9D4A2936919380A979F085F619F07203D77F4B16
                                                                  SHA-512:E0CC0CE7EA5D1E35CC936BF04841747236A7FD88A2B9AF6EDA49F9B37118369128628E7581022E2DDC6B67416F24F5F56438EB984EA7F7A27253D0266539AAB4
                                                                  Malicious:false
                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.3.6.<./.P.i.d.>.......

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Entropy (8bit):6.482082028693859
                                                                  TrID:
                                                                  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                  • Win64 Executable (generic) (12005/4) 10.17%
                                                                  • Generic Win/DOS Executable (2004/3) 1.70%
                                                                  • DOS Executable Generic (2002/1) 1.70%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                  File name:S0Uj3iEhau.dll
                                                                  File size:545280
                                                                  MD5:bfc8c2c291a541379642dcf219f78be4
                                                                  SHA1:0e2d22f72f957fda57c7d0c4498103ee52413127
                                                                  SHA256:ecf2a07b01738c05497f5ff5aef2a93622ec7bfc353a66357bad30a5898c1e21
                                                                  SHA512:c346ce4ef57f9a22cc30084310d77bc1e7cde958d75a3852ee2e660204a03018174a21662d49f856981b38897551ff5dfdda15fd4620b52526a1151005dbf0ce
                                                                  SSDEEP:12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZOHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVm
                                                                  TLSH:32C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

                                                                  File Icon

                                                                  Icon Hash:74f0e4ecccdce0e4

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x1800423a8
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x180000000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x627D8598 [Thu May 12 22:09:28 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:2
                                                                  File Version Major:5
                                                                  File Version Minor:2
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:2
                                                                  Import Hash:b268dbaa2e6eb6acd16e04d482356598

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec eax
                                                                  mov dword ptr [esp+08h], ebx
                                                                  dec eax
                                                                  mov dword ptr [esp+10h], esi
                                                                  push edi
                                                                  dec eax
                                                                  sub esp, 20h
                                                                  dec ecx
                                                                  mov edi, eax
                                                                  mov ebx, edx
                                                                  dec eax
                                                                  mov esi, ecx
                                                                  cmp edx, 01h
                                                                  jne 00007F00A86F0327h
                                                                  call 00007F00A86F24B4h
                                                                  dec esp
                                                                  mov eax, edi
                                                                  mov edx, ebx
                                                                  dec eax
                                                                  mov ecx, esi
                                                                  dec eax
                                                                  mov ebx, dword ptr [esp+30h]
                                                                  dec eax
                                                                  mov esi, dword ptr [esp+38h]
                                                                  dec eax
                                                                  add esp, 20h
                                                                  pop edi
                                                                  jmp 00007F00A86F01D0h
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  dec eax
                                                                  mov dword ptr [esp+08h], ecx
                                                                  dec eax
                                                                  sub esp, 00000088h
                                                                  dec eax
                                                                  lea ecx, dword ptr [00014D05h]
                                                                  call dword ptr [0000FC7Fh]
                                                                  dec esp
                                                                  mov ebx, dword ptr [00014DF0h]
                                                                  dec esp
                                                                  mov dword ptr [esp+58h], ebx
                                                                  inc ebp
                                                                  xor eax, eax
                                                                  dec eax
                                                                  lea edx, dword ptr [esp+60h]
                                                                  dec eax
                                                                  mov ecx, dword ptr [esp+58h]
                                                                  call 00007F00A86FEEAAh
                                                                  dec eax
                                                                  mov dword ptr [esp+50h], eax
                                                                  dec eax
                                                                  cmp dword ptr [esp+50h], 00000000h
                                                                  je 00007F00A86F0363h
                                                                  dec eax
                                                                  mov dword ptr [esp+38h], 00000000h
                                                                  dec eax
                                                                  lea eax, dword ptr [esp+48h]
                                                                  dec eax
                                                                  mov dword ptr [esp+30h], eax
                                                                  dec eax
                                                                  lea eax, dword ptr [esp+40h]
                                                                  dec eax
                                                                  mov dword ptr [esp+28h], eax
                                                                  dec eax
                                                                  lea eax, dword ptr [00014CB0h]
                                                                  dec eax
                                                                  mov dword ptr [esp+20h], eax
                                                                  dec esp
                                                                  mov ecx, dword ptr [esp+50h]
                                                                  dec esp
                                                                  mov eax, dword ptr [esp+58h]
                                                                  dec eax
                                                                  mov edx, dword ptr [esp+60h]
                                                                  xor ecx, ecx
                                                                  call 00007F00A86FEE58h
                                                                  jmp 00007F00A86F0344h
                                                                  dec eax
                                                                  mov eax, dword ptr [eax+eax+00000000h]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 build 21022
                                                                  • [LNK] VS2008 build 21022
                                                                  • [ASM] VS2008 build 21022
                                                                  • [IMP] VS2005 build 50727
                                                                  • [RES] VS2008 build 21022
                                                                  • [EXP] VS2008 build 21022
                                                                  • [C++] VS2008 build 21022

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x55cf00x6f.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5544c0x3c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x2dffc.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x590000xe1c.pdata
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000x1d8.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x520000x288.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x504ca0x50600False0.389081940124zlib compressed data5.26882252971IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x520000x3d5f0x3e00False0.355279737903data5.39250228185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x560000x20d80x1200False0.180772569444data2.18161586025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .pdata0x590000xe1c0x1000False0.44580078125data4.98556265168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x5a0000x2dffc0x2e000False0.839408542799data7.73448363752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x880000x6f80x800False0.1796875data1.81179169858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_RCDATA0x5a0a00x2de00dataEnglishUnited States
                                                                  RT_MANIFEST0x87ea00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA
                                                                  ole32.dllCoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

                                                                  Exports

                                                                  NameOrdinalAddress
                                                                  DllRegisterServer10x180042050
                                                                  DllUnregisterServer20x180042080

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 14, 2022 05:15:19.845846891 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:19.845907927 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:19.845992088 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:19.945772886 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:19.945800066 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:20.483073950 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:20.483268976 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:24.015535116 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:24.015585899 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:24.015990019 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:24.016088009 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:24.029586077 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:24.072501898 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:24.873889923 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:24.873981953 CEST4434977523.239.0.12192.168.2.6
                                                                  May 14, 2022 05:15:24.874042988 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:24.874066114 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:24.903692961 CEST49775443192.168.2.623.239.0.12
                                                                  May 14, 2022 05:15:24.903732061 CEST4434977523.239.0.12192.168.2.6

                                                                  HTTP Request Dependency Graph

                                                                  • 23.239.0.12

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.64977523.239.0.12443C:\Windows\System32\regsvr32.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-05-14 03:15:24 UTC0OUTGET / HTTP/1.1
                                                                  Cookie: cahxzYwrtATNSc=odbaSRoO+1g54WcgrhilL8OvjcPdBesD2Bt1m1jd5PVE0k7umvm3s+bMyB7g7Vy6cnIXcclpG3CxaZ0hzEaErtwGUZdayFpFmi1EvmEDIWzrSuIZIleNJqdsxehawsdQ2nAnbUdO/9Zj0RPuBnLvCMvxT90UXMNP29EcMTv574Ho9vYsRl8pPSrqt+rUszkPMOl5zwZmUyCemJ4dH7km7bbgZt6tX5nVna8AO1f8odSOFA9v+LGfS40ndEbeOYcHqSg30/Hn
                                                                  Host: 23.239.0.12
                                                                  Connection: Keep-Alive
                                                                  Cache-Control: no-cache
                                                                  2022-05-14 03:15:24 UTC0INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Sat, 14 May 2022 03:15:24 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  2022-05-14 03:15:24 UTC0INData Raw: 64 31 0d 0a 72 68 e2 90 c1 cc 91 e9 b7 99 eb 11 81 46 06 0c f5 c9 c8 8a 4f 0a 7e 1e 06 82 6b 62 1a cc 53 b6 6a f6 cc e1 a0 d6 91 ac d0 0c 3a b0 6e d5 4f 64 73 30 5d 76 81 40 7d b9 e5 77 3a 66 9c c0 d8 2f 31 ec a2 23 58 75 d2 9d fe 46 01 e3 4d 7f 50 fc 23 b0 41 1f f6 25 6d 8e ff ad 95 92 9c c1 63 fe 91 d3 ca a7 b6 cb dd 8d 0b b3 70 c0 0a 00 25 b0 31 17 6a 2b 4e a6 81 9f bd da 8e 4a de 78 1e 7f 9a c1 4c f4 14 a6 fd fc 29 df 70 3e 1f 58 29 f4 b4 2d 32 67 8d bd 4f a6 9d 38 c1 06 e8 22 a5 f4 c3 63 77 b2 f7 a9 09 3a 94 2c 13 c2 72 32 a3 dd db bc 31 98 79 d8 14 21 6d bf 98 8d bd 0f ec 7b 12 df ef 2d 79 77 21 ce 62 83 a6 e0 49 6a 8b da 1c 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: d1rhFO~kbSj:nOds0]v@}w:f/1#XuFMP#A%mcp%1j+NJxL)p>X)-2gO8"cw:,r21y!m{-yw!bIj0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:05:14:44
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\loaddll64.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll"
                                                                  Imagebase:0x7ff7492f0000
                                                                  File size:140288 bytes
                                                                  MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:1
                                                                  Start time:05:14:44
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1
                                                                  Imagebase:0x7ff6edbd0000
                                                                  File size:273920 bytes
                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:2
                                                                  Start time:05:14:45
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:regsvr32.exe /s C:\Users\user\Desktop\S0Uj3iEhau.dll
                                                                  Imagebase:0x7ff7b01f0000
                                                                  File size:24064 bytes
                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.392808581.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:3
                                                                  Start time:05:14:45
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe "C:\Users\user\Desktop\S0Uj3iEhau.dll",#1
                                                                  Imagebase:0x7ff6aea10000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.396970138.0000019190A20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.396212398.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:4
                                                                  Start time:05:14:45
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllRegisterServer
                                                                  Imagebase:0x7ff6aea10000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.394351523.000001CB19B40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:5
                                                                  Start time:05:14:49
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\S0Uj3iEhau.dll,DllUnregisterServer
                                                                  Imagebase:0x7ff6aea10000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.398789542.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.398502439.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.422319159.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.422611514.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.399522302.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.400744987.000001B259EF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:6
                                                                  Start time:05:14:52
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LBQDVFLViUyJtRNx\yIKZtRHMJ.dll"
                                                                  Imagebase:0x7ff7b01f0000
                                                                  File size:24064 bytes
                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.896847127.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:7
                                                                  Start time:05:14:53
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:8
                                                                  Start time:05:14:54
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\WerFault.exe -pss -s 468 -p 7136 -ip 7136
                                                                  Imagebase:0x7ff7164b0000
                                                                  File size:494488 bytes
                                                                  MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:9
                                                                  Start time:05:14:56
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 7136 -s 352
                                                                  Imagebase:0x7ff7164b0000
                                                                  File size:494488 bytes
                                                                  MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:15
                                                                  Start time:05:15:23
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:16
                                                                  Start time:05:15:30
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:23
                                                                  Start time:05:16:11
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:24
                                                                  Start time:05:16:35
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:26
                                                                  Start time:05:16:53
                                                                  Start date:14/05/2022
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                  Imagebase:0x7ff726010000
                                                                  File size:51288 bytes
                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:9.7%
                                                                    Dynamic/Decrypted Code Coverage:1.6%
                                                                    Signature Coverage:15.9%
                                                                    Total number of Nodes:679
                                                                    Total number of Limit Nodes:6
                                                                    execution_graph 9663 7fff30812050 9666 7fff307d1000 9663->9666 9667 7fff307d101e ExitProcess 9666->9667 9668 7fff30812290 9669 7fff308122b6 9668->9669 9673 7fff308122f3 9669->9673 9675 7fff308122be 9669->9675 9680 7fff30812154 9669->9680 9673->9675 9722 7fff307d1230 9673->9722 9674 7fff30812335 9674->9675 9676 7fff30812154 126 API calls 9674->9676 9676->9675 9677 7fff307d1230 8 API calls 9678 7fff30812328 9677->9678 9679 7fff30812154 126 API calls 9678->9679 9679->9674 9681 7fff308121e1 9680->9681 9682 7fff30812162 9680->9682 9684 7fff3081221e 9681->9684 9691 7fff308121e5 9681->9691 9727 7fff30814110 HeapCreate 9682->9727 9685 7fff30812223 9684->9685 9686 7fff30812279 9684->9686 9820 7fff30813108 9685->9820 9688 7fff3081216d 9686->9688 9847 7fff30812f50 9686->9847 9688->9673 9691->9688 9694 7fff30813a48 46 API calls 9691->9694 9693 7fff30812179 _RTC_Initialize 9701 7fff30812189 GetCommandLineA 9693->9701 9715 7fff3081217d 9693->9715 9696 7fff30812212 9694->9696 9697 7fff30812c94 48 API calls 9696->9697 9700 7fff30812217 9697->9700 9698 7fff30812243 FlsSetValue 9702 7fff3081226f 9698->9702 9703 7fff30812259 9698->9703 9831 7fff3081415c HeapDestroy 9700->9831 9746 7fff30813eec 9701->9746 9841 7fff30813024 9702->9841 9832 7fff30812cbc 9703->9832 9712 7fff308121ab 9784 7fff30812c94 9712->9784 9825 7fff3081415c HeapDestroy 9715->9825 9716 7fff308121b7 9717 7fff308121cb 9716->9717 9799 7fff30813aec 9716->9799 9717->9688 9826 7fff30813a48 9717->9826 9723 7fff307d1249 wcsftime 9722->9723 9724 7fff307d1276 9723->9724 9725 7fff308120e0 __initmbctable 8 API calls 9724->9725 9726 7fff3081203e 9725->9726 9726->9674 9726->9677 9728 7fff30814134 HeapSetInformation 9727->9728 9729 7fff30812169 9727->9729 9728->9729 9729->9688 9730 7fff30812fa0 9729->9730 9853 7fff308136f0 9730->9853 9732 7fff30812fab 9858 7fff30816970 9732->9858 9735 7fff30813014 9738 7fff30812c94 48 API calls 9735->9738 9736 7fff30812fb4 FlsAlloc 9736->9735 9737 7fff30812fcc 9736->9737 9739 7fff30813108 __wtomb_environ 45 API calls 9737->9739 9740 7fff30813019 9738->9740 9741 7fff30812fdb 9739->9741 9740->9693 9741->9735 9742 7fff30812fe3 FlsSetValue 9741->9742 9742->9735 9743 7fff30812ff6 9742->9743 9744 7fff30812cbc __doserrno 45 API calls 9743->9744 9745 7fff30813000 GetCurrentThreadId 9744->9745 9745->9740 9747 7fff30813f1b GetEnvironmentStringsW 9746->9747 9748 7fff30813f4d 9746->9748 9749 7fff30813f35 GetLastError 9747->9749 9750 7fff30813f29 9747->9750 9748->9750 9751 7fff30814010 9748->9751 9749->9748 9753 7fff30813f70 WideCharToMultiByte 9750->9753 9754 7fff30813f5b GetEnvironmentStringsW 9750->9754 9752 7fff3081401d GetEnvironmentStrings 9751->9752 9755 7fff3081219b 9751->9755 9752->9755 9756 7fff3081402f 9752->9756 9758 7fff30813fff 9753->9758 9759 7fff30813fbe 9753->9759 9754->9753 9754->9755 9771 7fff30813758 GetStartupInfoA 9755->9771 9760 7fff3081309c __setargv 45 API calls 9756->9760 9762 7fff30814002 FreeEnvironmentStringsW 9758->9762 9865 7fff3081309c 9759->9865 9763 7fff30814053 9760->9763 9762->9755 9765 7fff30814069 __initmbctable 9763->9765 9766 7fff3081405b FreeEnvironmentStringsA 9763->9766 9769 7fff30814077 FreeEnvironmentStringsA 9765->9769 9766->9755 9767 7fff30813fce WideCharToMultiByte 9767->9762 9768 7fff30813ff7 9767->9768 9770 7fff30813024 free 45 API calls 9768->9770 9769->9755 9770->9758 9772 7fff30813108 __wtomb_environ 45 API calls 9771->9772 9779 7fff30813795 9772->9779 9773 7fff308121a7 9773->9712 9792 7fff30813df4 9773->9792 9774 7fff30813981 GetStdHandle 9778 7fff3081395b 9774->9778 9775 7fff308139b0 GetFileType 9775->9778 9776 7fff30813108 __wtomb_environ 45 API calls 9776->9779 9777 7fff30813a10 SetHandleCount 9777->9773 9778->9773 9778->9774 9778->9775 9778->9777 9782 7fff30817ee4 _lock InitializeCriticalSectionAndSpinCount 9778->9782 9779->9773 9779->9776 9779->9778 9779->9779 9780 7fff308138c4 9779->9780 9780->9773 9780->9778 9781 7fff308138f7 GetFileType 9780->9781 9783 7fff30817ee4 _lock InitializeCriticalSectionAndSpinCount 9780->9783 9781->9780 9782->9778 9783->9780 9785 7fff30812ca3 FlsFree 9784->9785 9786 7fff30812cb0 9784->9786 9785->9786 9787 7fff30816a2f DeleteCriticalSection 9786->9787 9788 7fff30816a4d 9786->9788 9789 7fff30813024 free 45 API calls 9787->9789 9790 7fff30816a5b DeleteCriticalSection 9788->9790 9791 7fff30816a6a 9788->9791 9789->9786 9790->9788 9791->9715 9793 7fff30813e11 GetModuleFileNameA 9792->9793 9794 7fff30813e0c 9792->9794 9796 7fff30813e43 __setargv 9793->9796 10011 7fff30814ecc 9794->10011 9797 7fff3081309c __setargv 45 API calls 9796->9797 9798 7fff30813e97 __setargv 9796->9798 9797->9798 9798->9716 9800 7fff30813b09 9799->9800 9802 7fff30813b0e __tzset 9799->9802 9801 7fff30814ecc __initmbctable 83 API calls 9800->9801 9801->9802 9803 7fff308121c0 9802->9803 9804 7fff30813108 __wtomb_environ 45 API calls 9802->9804 9803->9717 9814 7fff3081347c 9803->9814 9811 7fff30813b4d __tzset 9804->9811 9805 7fff30813bc6 9806 7fff30813024 free 45 API calls 9805->9806 9806->9803 9807 7fff30813108 __wtomb_environ 45 API calls 9807->9811 9808 7fff30813c02 9809 7fff30813024 free 45 API calls 9808->9809 9809->9803 9810 7fff30817fbc __tzset 45 API calls 9810->9811 9811->9803 9811->9805 9811->9807 9811->9808 9811->9810 9812 7fff30813ba2 9811->9812 9813 7fff30816550 _isindst 6 API calls 9812->9813 9813->9811 9816 7fff30813492 _cinit 9814->9816 10415 7fff308173f4 9816->10415 9817 7fff308134af _initterm_e 9819 7fff308134d2 _cinit 9817->9819 10418 7fff308173dc 9817->10418 9819->9717 9821 7fff3081312d 9820->9821 9823 7fff30812237 9821->9823 9824 7fff3081314b Sleep 9821->9824 10435 7fff30816cec 9821->10435 9823->9688 9823->9698 9824->9821 9824->9823 9825->9688 9828 7fff30813a59 9826->9828 9827 7fff30813aa8 9827->9712 9828->9827 9829 7fff30813a70 DeleteCriticalSection 9828->9829 9830 7fff30813024 free 45 API calls 9828->9830 9829->9828 9830->9828 9831->9688 9833 7fff30816ba0 _lock 45 API calls 9832->9833 9834 7fff30812d11 9833->9834 10444 7fff30816a80 LeaveCriticalSection 9834->10444 9842 7fff30813029 HeapFree 9841->9842 9846 7fff30813059 realloc 9841->9846 9843 7fff30813044 9842->9843 9842->9846 9844 7fff308167e0 _errno 43 API calls 9843->9844 9845 7fff30813049 GetLastError 9844->9845 9845->9846 9846->9688 9848 7fff30812f64 9847->9848 9849 7fff30812f88 9847->9849 9850 7fff30812f78 FlsSetValue 9848->9850 9851 7fff30812f69 FlsGetValue 9848->9851 9849->9688 10445 7fff30812e18 9850->10445 9851->9850 9862 7fff30812c5c EncodePointer 9853->9862 9855 7fff308136fb _initp_misc_winsig 9856 7fff3081755c EncodePointer 9855->9856 9857 7fff3081373e EncodePointer 9856->9857 9857->9732 9859 7fff30816993 9858->9859 9860 7fff30812fb0 9859->9860 9863 7fff30817ee4 InitializeCriticalSectionAndSpinCount 9859->9863 9860->9735 9860->9736 9864 7fff30817f11 9863->9864 9864->9859 9868 7fff308130b8 9865->9868 9867 7fff308130f0 9867->9758 9867->9767 9868->9867 9869 7fff308130d0 Sleep 9868->9869 9870 7fff30816c34 9868->9870 9869->9867 9869->9868 9871 7fff30816cc8 realloc 9870->9871 9872 7fff30816c4c realloc 9870->9872 9875 7fff308167e0 _errno 44 API calls 9871->9875 9873 7fff30816c84 RtlAllocateHeap 9872->9873 9874 7fff30816c64 9872->9874 9878 7fff30816cad 9872->9878 9881 7fff30816cb2 9872->9881 9873->9872 9877 7fff30816cbd 9873->9877 9874->9873 9884 7fff30817160 9874->9884 9893 7fff30816f0c 9874->9893 9926 7fff3081334c 9874->9926 9875->9877 9877->9868 9929 7fff308167e0 9878->9929 9883 7fff308167e0 _errno 44 API calls 9881->9883 9883->9877 9932 7fff3081d2ac 9884->9932 9887 7fff3081d2ac _FF_MSGBANNER 45 API calls 9890 7fff3081717d 9887->9890 9888 7fff30816f0c _FF_MSGBANNER 45 API calls 9889 7fff30817194 9888->9889 9892 7fff30816f0c _FF_MSGBANNER 45 API calls 9889->9892 9890->9888 9891 7fff3081719e 9890->9891 9891->9874 9892->9891 9894 7fff30816f2f 9893->9894 9895 7fff308170d4 9894->9895 9896 7fff3081d2ac _FF_MSGBANNER 42 API calls 9894->9896 9895->9874 9897 7fff30816f51 9896->9897 9898 7fff308170d6 GetStdHandle 9897->9898 9899 7fff3081d2ac _FF_MSGBANNER 42 API calls 9897->9899 9898->9895 9900 7fff308170e9 __tzset 9898->9900 9901 7fff30816f64 9899->9901 9900->9895 9903 7fff308170ff WriteFile 9900->9903 9901->9898 9902 7fff30816f75 9901->9902 9902->9895 9951 7fff30817fbc 9902->9951 9903->9895 9906 7fff30816fb9 GetModuleFileNameA 9907 7fff30816fd9 9906->9907 9911 7fff3081700a __tzset 9906->9911 9909 7fff30817fbc __tzset 42 API calls 9907->9909 9908 7fff30816550 _isindst 6 API calls 9908->9906 9910 7fff30816ff1 9909->9910 9910->9911 9914 7fff30816550 _isindst 6 API calls 9910->9914 9912 7fff30817065 9911->9912 9960 7fff3081bf14 9911->9960 9969 7fff3081bdf4 9912->9969 9914->9911 9916 7fff30817090 9919 7fff3081bdf4 _FF_MSGBANNER 42 API calls 9916->9919 9918 7fff30816550 _isindst 6 API calls 9918->9916 9921 7fff308170a6 9919->9921 9922 7fff308170bf 9921->9922 9924 7fff30816550 _isindst 6 API calls 9921->9924 9978 7fff3081d0b8 9922->9978 9923 7fff30816550 _isindst 6 API calls 9923->9912 9924->9922 9996 7fff30813310 GetModuleHandleW 9926->9996 9999 7fff30812d70 GetLastError FlsGetValue 9929->9999 9931 7fff308167e9 9931->9881 9933 7fff3081d2b4 9932->9933 9934 7fff308167e0 _errno 45 API calls 9933->9934 9935 7fff3081716e 9933->9935 9936 7fff3081d2d9 9934->9936 9935->9887 9935->9890 9938 7fff308166d8 DecodePointer 9936->9938 9939 7fff30816723 _invalid_parameter_noinfo 9938->9939 9940 7fff30816709 9938->9940 9942 7fff30816550 9939->9942 9940->9935 9949 7fff308187a0 9942->9949 9944 7fff30816570 RtlCaptureContext 9945 7fff308165ad 9944->9945 9946 7fff3081660d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9945->9946 9947 7fff30816658 GetCurrentProcess TerminateProcess 9946->9947 9948 7fff3081664c _invalid_parameter_noinfo 9946->9948 9947->9940 9948->9947 9950 7fff308187a9 9949->9950 9950->9944 9950->9950 9952 7fff30817fd1 9951->9952 9953 7fff30817fc7 9951->9953 9954 7fff308167e0 _errno 45 API calls 9952->9954 9953->9952 9956 7fff30817ffd 9953->9956 9959 7fff30817fd9 9954->9959 9955 7fff308166d8 _invalid_parameter_noinfo 7 API calls 9957 7fff30816fa0 9955->9957 9956->9957 9958 7fff308167e0 _errno 45 API calls 9956->9958 9957->9906 9957->9908 9958->9959 9959->9955 9964 7fff3081bf22 9960->9964 9961 7fff3081bf27 9962 7fff308167e0 _errno 45 API calls 9961->9962 9963 7fff3081704c 9961->9963 9965 7fff3081bf51 9962->9965 9963->9912 9963->9923 9964->9961 9964->9963 9967 7fff3081bf75 9964->9967 9966 7fff308166d8 _invalid_parameter_noinfo 7 API calls 9965->9966 9966->9963 9967->9963 9968 7fff308167e0 _errno 45 API calls 9967->9968 9968->9965 9970 7fff3081be0c 9969->9970 9972 7fff3081be02 9969->9972 9971 7fff308167e0 _errno 45 API calls 9970->9971 9977 7fff3081be14 9971->9977 9972->9970 9974 7fff3081be50 9972->9974 9973 7fff308166d8 _invalid_parameter_noinfo 7 API calls 9975 7fff30817077 9973->9975 9974->9975 9976 7fff308167e0 _errno 45 API calls 9974->9976 9975->9916 9975->9918 9976->9977 9977->9973 9995 7fff30812c5c EncodePointer 9978->9995 9997 7fff3081333f ExitProcess 9996->9997 9998 7fff3081332a GetProcAddress 9996->9998 9998->9997 10000 7fff30812d96 9999->10000 10001 7fff30812dde SetLastError 9999->10001 10002 7fff30813108 __wtomb_environ 40 API calls 10000->10002 10001->9931 10003 7fff30812da3 10002->10003 10003->10001 10004 7fff30812dab FlsSetValue 10003->10004 10005 7fff30812dc1 10004->10005 10006 7fff30812dd7 10004->10006 10007 7fff30812cbc __doserrno 40 API calls 10005->10007 10008 7fff30813024 free 40 API calls 10006->10008 10009 7fff30812dc8 GetCurrentThreadId 10007->10009 10010 7fff30812ddc 10008->10010 10009->10001 10010->10001 10012 7fff30814ed9 10011->10012 10013 7fff30814ee3 10011->10013 10015 7fff30814cd4 10012->10015 10013->9793 10039 7fff30812df4 10015->10039 10022 7fff3081309c __setargv 45 API calls 10023 7fff30814d24 __initmbctable 10022->10023 10033 7fff30814e81 10023->10033 10062 7fff30814a0c 10023->10062 10026 7fff30814d5f 10029 7fff30813024 free 45 API calls 10026->10029 10032 7fff30814d84 10026->10032 10027 7fff30814e83 10028 7fff30814e9c 10027->10028 10030 7fff30813024 free 45 API calls 10027->10030 10027->10033 10031 7fff308167e0 _errno 45 API calls 10028->10031 10029->10032 10030->10028 10031->10033 10032->10033 10072 7fff30816ba0 10032->10072 10033->10013 10040 7fff30812d70 __doserrno 45 API calls 10039->10040 10041 7fff30812dff 10040->10041 10042 7fff30812e0f 10041->10042 10078 7fff308132e0 10041->10078 10044 7fff308148c0 10042->10044 10045 7fff30812df4 _getptd 45 API calls 10044->10045 10046 7fff308148cf 10045->10046 10047 7fff308148ea 10046->10047 10048 7fff30816ba0 _lock 45 API calls 10046->10048 10050 7fff3081496e 10047->10050 10053 7fff308132e0 _lock 45 API calls 10047->10053 10049 7fff308148fd 10048->10049 10051 7fff30814934 10049->10051 10054 7fff30813024 free 45 API calls 10049->10054 10055 7fff3081497c 10050->10055 10083 7fff30816a80 LeaveCriticalSection 10051->10083 10053->10050 10054->10051 10084 7fff30812534 10055->10084 10058 7fff308149c1 10060 7fff308149c6 GetACP 10058->10060 10061 7fff308149ac 10058->10061 10059 7fff3081499c GetOEMCP 10059->10061 10060->10061 10061->10022 10061->10033 10063 7fff3081497c __initmbctable 47 API calls 10062->10063 10064 7fff30814a33 10063->10064 10065 7fff30814a3b __initmbctable 10064->10065 10066 7fff30814a8c IsValidCodePage 10064->10066 10071 7fff30814ab2 unexpected 10064->10071 10261 7fff308120e0 10065->10261 10066->10065 10068 7fff30814a9d GetCPInfo 10066->10068 10068->10065 10068->10071 10069 7fff30814c6f 10069->10026 10069->10027 10251 7fff308146dc GetCPInfo 10071->10251 10073 7fff30816bcf EnterCriticalSection 10072->10073 10074 7fff30816bbe 10072->10074 10389 7fff30816ab8 10074->10389 10077 7fff308132e0 _lock 44 API calls 10077->10073 10079 7fff30817160 _FF_MSGBANNER 44 API calls 10078->10079 10080 7fff308132ed 10079->10080 10081 7fff30816f0c _FF_MSGBANNER 44 API calls 10080->10081 10082 7fff308132f4 DecodePointer 10081->10082 10085 7fff3081254a 10084->10085 10091 7fff308125ae 10084->10091 10086 7fff30812df4 _getptd 45 API calls 10085->10086 10087 7fff3081254f 10086->10087 10088 7fff30812587 10087->10088 10092 7fff3081524c 10087->10092 10090 7fff308148c0 __initmbctable 45 API calls 10088->10090 10088->10091 10090->10091 10091->10058 10091->10059 10093 7fff30812df4 _getptd 45 API calls 10092->10093 10095 7fff30815257 10093->10095 10094 7fff30815280 10096 7fff30816ba0 _lock 45 API calls 10094->10096 10095->10094 10097 7fff30815272 10095->10097 10099 7fff3081528a 10096->10099 10098 7fff30812df4 _getptd 45 API calls 10097->10098 10100 7fff30815277 10098->10100 10106 7fff308151f4 10099->10106 10104 7fff308152b8 10100->10104 10105 7fff308132e0 _lock 45 API calls 10100->10105 10104->10088 10105->10104 10107 7fff30815202 ___lc_codepage_func 10106->10107 10108 7fff3081523e 10106->10108 10107->10108 10111 7fff30814f04 10107->10111 10110 7fff30816a80 LeaveCriticalSection 10108->10110 10112 7fff30814f9b 10111->10112 10114 7fff30814f22 10111->10114 10113 7fff30814fee 10112->10113 10115 7fff30813024 free 45 API calls 10112->10115 10132 7fff3081501b 10113->10132 10163 7fff308198a4 10113->10163 10114->10112 10117 7fff30814f61 10114->10117 10124 7fff30813024 free 45 API calls 10114->10124 10118 7fff30814fbf 10115->10118 10121 7fff30814f83 10117->10121 10131 7fff30813024 free 45 API calls 10117->10131 10120 7fff30813024 free 45 API calls 10118->10120 10125 7fff30814fd3 10120->10125 10122 7fff30813024 free 45 API calls 10121->10122 10127 7fff30814f8f 10122->10127 10123 7fff30813024 free 45 API calls 10123->10132 10128 7fff30814f55 10124->10128 10130 7fff30813024 free 45 API calls 10125->10130 10126 7fff30815067 10133 7fff30813024 free 45 API calls 10127->10133 10139 7fff30819df8 10128->10139 10129 7fff30813024 45 API calls free 10129->10132 10135 7fff30814fe2 10130->10135 10136 7fff30814f77 10131->10136 10132->10126 10132->10129 10133->10112 10137 7fff30813024 free 45 API calls 10135->10137 10155 7fff30819b68 10136->10155 10137->10113 10140 7fff30819e01 10139->10140 10141 7fff30819e87 10139->10141 10142 7fff30819e1b 10140->10142 10143 7fff30813024 free 45 API calls 10140->10143 10141->10117 10144 7fff30819e2d 10142->10144 10145 7fff30813024 free 45 API calls 10142->10145 10143->10142 10146 7fff30819e3f 10144->10146 10147 7fff30813024 free 45 API calls 10144->10147 10145->10144 10148 7fff30819e51 10146->10148 10149 7fff30813024 free 45 API calls 10146->10149 10147->10146 10150 7fff30819e63 10148->10150 10151 7fff30813024 free 45 API calls 10148->10151 10149->10148 10152 7fff30819e75 10150->10152 10153 7fff30813024 free 45 API calls 10150->10153 10151->10150 10152->10141 10154 7fff30813024 free 45 API calls 10152->10154 10153->10152 10154->10141 10156 7fff30819b6d 10155->10156 10160 7fff30819baa 10155->10160 10157 7fff30819b86 10156->10157 10158 7fff30813024 free 45 API calls 10156->10158 10159 7fff30819b98 10157->10159 10161 7fff30813024 free 45 API calls 10157->10161 10158->10157 10159->10160 10162 7fff30813024 free 45 API calls 10159->10162 10160->10121 10161->10159 10162->10160 10164 7fff3081500f 10163->10164 10165 7fff308198ad 10163->10165 10164->10123 10166 7fff30813024 free 45 API calls 10165->10166 10167 7fff308198be 10166->10167 10168 7fff30813024 free 45 API calls 10167->10168 10169 7fff308198c7 10168->10169 10170 7fff30813024 free 45 API calls 10169->10170 10171 7fff308198d0 10170->10171 10172 7fff30813024 free 45 API calls 10171->10172 10173 7fff308198d9 10172->10173 10174 7fff30813024 free 45 API calls 10173->10174 10175 7fff308198e2 10174->10175 10176 7fff30813024 free 45 API calls 10175->10176 10177 7fff308198eb 10176->10177 10178 7fff30813024 free 45 API calls 10177->10178 10179 7fff308198f3 10178->10179 10180 7fff30813024 free 45 API calls 10179->10180 10181 7fff308198fc 10180->10181 10182 7fff30813024 free 45 API calls 10181->10182 10183 7fff30819905 10182->10183 10184 7fff30813024 free 45 API calls 10183->10184 10185 7fff3081990e 10184->10185 10186 7fff30813024 free 45 API calls 10185->10186 10187 7fff30819917 10186->10187 10188 7fff30813024 free 45 API calls 10187->10188 10189 7fff30819920 10188->10189 10190 7fff30813024 free 45 API calls 10189->10190 10191 7fff30819929 10190->10191 10192 7fff30813024 free 45 API calls 10191->10192 10193 7fff30819932 10192->10193 10194 7fff30813024 free 45 API calls 10193->10194 10195 7fff3081993b 10194->10195 10196 7fff30813024 free 45 API calls 10195->10196 10197 7fff30819944 10196->10197 10198 7fff30813024 free 45 API calls 10197->10198 10199 7fff30819950 10198->10199 10200 7fff30813024 free 45 API calls 10199->10200 10201 7fff3081995c 10200->10201 10202 7fff30813024 free 45 API calls 10201->10202 10203 7fff30819968 10202->10203 10204 7fff30813024 free 45 API calls 10203->10204 10205 7fff30819974 10204->10205 10206 7fff30813024 free 45 API calls 10205->10206 10207 7fff30819980 10206->10207 10208 7fff30813024 free 45 API calls 10207->10208 10209 7fff3081998c 10208->10209 10210 7fff30813024 free 45 API calls 10209->10210 10211 7fff30819998 10210->10211 10212 7fff30813024 free 45 API calls 10211->10212 10213 7fff308199a4 10212->10213 10214 7fff30813024 free 45 API calls 10213->10214 10215 7fff308199b0 10214->10215 10216 7fff30813024 free 45 API calls 10215->10216 10217 7fff308199bc 10216->10217 10218 7fff30813024 free 45 API calls 10217->10218 10219 7fff308199c8 10218->10219 10220 7fff30813024 free 45 API calls 10219->10220 10221 7fff308199d4 10220->10221 10222 7fff30813024 free 45 API calls 10221->10222 10223 7fff308199e0 10222->10223 10224 7fff30813024 free 45 API calls 10223->10224 10225 7fff308199ec 10224->10225 10226 7fff30813024 free 45 API calls 10225->10226 10227 7fff308199f8 10226->10227 10228 7fff30813024 free 45 API calls 10227->10228 10229 7fff30819a04 10228->10229 10230 7fff30813024 free 45 API calls 10229->10230 10231 7fff30819a10 10230->10231 10232 7fff30813024 free 45 API calls 10231->10232 10233 7fff30819a1c 10232->10233 10234 7fff30813024 free 45 API calls 10233->10234 10235 7fff30819a28 10234->10235 10236 7fff30813024 free 45 API calls 10235->10236 10237 7fff30819a34 10236->10237 10238 7fff30813024 free 45 API calls 10237->10238 10239 7fff30819a40 10238->10239 10240 7fff30813024 free 45 API calls 10239->10240 10241 7fff30819a4c 10240->10241 10242 7fff30813024 free 45 API calls 10241->10242 10243 7fff30819a58 10242->10243 10244 7fff30813024 free 45 API calls 10243->10244 10245 7fff30819a64 10244->10245 10246 7fff30813024 free 45 API calls 10245->10246 10247 7fff30819a70 10246->10247 10248 7fff30813024 free 45 API calls 10247->10248 10249 7fff30819a7c 10248->10249 10250 7fff30813024 free 45 API calls 10249->10250 10250->10164 10252 7fff3081471e unexpected 10251->10252 10260 7fff3081480a 10251->10260 10272 7fff308191a0 10252->10272 10254 7fff308120e0 __initmbctable 8 API calls 10257 7fff308148aa 10254->10257 10257->10065 10259 7fff30818e9c __initmbctable 78 API calls 10259->10260 10260->10254 10262 7fff308120e9 10261->10262 10263 7fff308123e8 RtlCaptureContext RtlLookupFunctionEntry 10262->10263 10264 7fff308120f4 10262->10264 10265 7fff3081242c RtlVirtualUnwind 10263->10265 10266 7fff3081246d 10263->10266 10264->10069 10267 7fff3081248f IsDebuggerPresent 10265->10267 10266->10267 10388 7fff3081460c 10267->10388 10269 7fff308124ee SetUnhandledExceptionFilter UnhandledExceptionFilter 10270 7fff30812516 GetCurrentProcess TerminateProcess 10269->10270 10271 7fff3081250c _invalid_parameter_noinfo 10269->10271 10270->10069 10271->10270 10273 7fff30812534 _wcstoui64 45 API calls 10272->10273 10274 7fff308191c4 10273->10274 10282 7fff30818f34 10274->10282 10277 7fff30818e9c 10278 7fff30812534 _wcstoui64 45 API calls 10277->10278 10279 7fff30818ec0 10278->10279 10341 7fff3081895c 10279->10341 10283 7fff30818fc1 10282->10283 10284 7fff30818f84 GetStringTypeW 10282->10284 10286 7fff30818f9e 10283->10286 10287 7fff308190f0 10283->10287 10285 7fff30818fa6 GetLastError 10284->10285 10284->10286 10285->10283 10288 7fff30818fea MultiByteToWideChar 10286->10288 10304 7fff308190e9 10286->10304 10306 7fff3081e1e8 GetLocaleInfoA 10287->10306 10294 7fff30819018 10288->10294 10288->10304 10290 7fff308120e0 __initmbctable 8 API calls 10292 7fff308147a1 10290->10292 10292->10277 10293 7fff3081914b GetStringTypeA 10295 7fff3081916e 10293->10295 10293->10304 10296 7fff30816c34 realloc 45 API calls 10294->10296 10297 7fff3081903d unexpected wcsftime 10294->10297 10299 7fff30813024 free 45 API calls 10295->10299 10296->10297 10300 7fff308190a4 MultiByteToWideChar 10297->10300 10297->10304 10299->10304 10302 7fff308190c6 GetStringTypeW 10300->10302 10303 7fff308190db 10300->10303 10302->10303 10303->10304 10305 7fff30813024 free 45 API calls 10303->10305 10304->10290 10305->10304 10307 7fff3081e21f 10306->10307 10308 7fff3081e21a 10306->10308 10337 7fff30812100 10307->10337 10310 7fff308120e0 __initmbctable 8 API calls 10308->10310 10311 7fff3081911a 10310->10311 10311->10293 10311->10304 10312 7fff3081e23c 10311->10312 10313 7fff3081e366 10312->10313 10314 7fff3081e28e GetCPInfo 10312->10314 10317 7fff308120e0 __initmbctable 8 API calls 10313->10317 10315 7fff3081e2a0 10314->10315 10316 7fff3081e33f MultiByteToWideChar 10314->10316 10315->10316 10318 7fff3081e2aa GetCPInfo 10315->10318 10316->10313 10321 7fff3081e2c5 __tzset 10316->10321 10319 7fff30819140 10317->10319 10318->10316 10320 7fff3081e2bf 10318->10320 10319->10293 10319->10304 10320->10316 10320->10321 10322 7fff30816c34 realloc 45 API calls 10321->10322 10326 7fff3081e301 unexpected wcsftime 10321->10326 10322->10326 10323 7fff3081e39d MultiByteToWideChar 10324 7fff3081e3ff 10323->10324 10325 7fff3081e3c7 10323->10325 10324->10313 10329 7fff30813024 free 45 API calls 10324->10329 10327 7fff3081e407 10325->10327 10328 7fff3081e3cc WideCharToMultiByte 10325->10328 10326->10313 10326->10323 10330 7fff3081e439 10327->10330 10331 7fff3081e40d WideCharToMultiByte 10327->10331 10328->10324 10329->10313 10332 7fff30813108 __wtomb_environ 45 API calls 10330->10332 10331->10324 10331->10330 10333 7fff3081e446 10332->10333 10333->10324 10334 7fff3081e44e WideCharToMultiByte 10333->10334 10334->10324 10335 7fff3081e477 10334->10335 10336 7fff30813024 free 45 API calls 10335->10336 10336->10324 10338 7fff3081287c 10337->10338 10339 7fff308125f8 _wcstoui64_l 67 API calls 10338->10339 10340 7fff308128a7 10339->10340 10340->10308 10342 7fff308189b4 LCMapStringW 10341->10342 10346 7fff308189d8 10341->10346 10343 7fff308189e4 GetLastError 10342->10343 10342->10346 10343->10346 10344 7fff30818ca6 10347 7fff3081e1e8 _wcstoui64 67 API calls 10344->10347 10345 7fff30818a53 10348 7fff30818a71 MultiByteToWideChar 10345->10348 10361 7fff30818c9f 10345->10361 10346->10344 10346->10345 10350 7fff30818cd4 10347->10350 10357 7fff30818aa0 10348->10357 10348->10361 10349 7fff308120e0 __initmbctable 8 API calls 10351 7fff308147d4 10349->10351 10352 7fff30818e2f LCMapStringA 10350->10352 10353 7fff30818cf3 10350->10353 10350->10361 10351->10259 10360 7fff30818d3b 10352->10360 10355 7fff3081e23c _wcstoui64 60 API calls 10353->10355 10354 7fff30818b1c MultiByteToWideChar 10356 7fff30818b46 LCMapStringW 10354->10356 10362 7fff30818c91 10354->10362 10359 7fff30818d0b 10355->10359 10356->10362 10363 7fff30818b70 10356->10363 10358 7fff30816c34 realloc 45 API calls 10357->10358 10368 7fff30818ad1 wcsftime 10357->10368 10358->10368 10359->10361 10364 7fff30818d13 LCMapStringA 10359->10364 10365 7fff30818e5f 10360->10365 10369 7fff30813024 free 45 API calls 10360->10369 10361->10349 10362->10361 10366 7fff30813024 free 45 API calls 10362->10366 10367 7fff30818b7b 10363->10367 10371 7fff30818bb6 10363->10371 10364->10360 10377 7fff30818d42 10364->10377 10365->10361 10372 7fff30813024 free 45 API calls 10365->10372 10366->10361 10367->10362 10370 7fff30818b92 LCMapStringW 10367->10370 10368->10354 10368->10361 10369->10365 10370->10362 10376 7fff30816c34 realloc 45 API calls 10371->10376 10383 7fff30818bd4 wcsftime 10371->10383 10372->10361 10373 7fff30818c23 LCMapStringW 10374 7fff30818c44 WideCharToMultiByte 10373->10374 10375 7fff30818c83 10373->10375 10374->10375 10375->10362 10382 7fff30813024 free 45 API calls 10375->10382 10376->10383 10378 7fff30816c34 realloc 45 API calls 10377->10378 10380 7fff30818d63 unexpected wcsftime 10377->10380 10378->10380 10379 7fff30818dc5 LCMapStringA 10384 7fff30818df1 10379->10384 10385 7fff30818ded 10379->10385 10380->10360 10380->10379 10382->10362 10383->10362 10383->10373 10386 7fff3081e23c _wcstoui64 60 API calls 10384->10386 10385->10360 10387 7fff30813024 free 45 API calls 10385->10387 10386->10385 10387->10360 10388->10269 10390 7fff30816adf 10389->10390 10391 7fff30816af6 10389->10391 10393 7fff30817160 _FF_MSGBANNER 44 API calls 10390->10393 10392 7fff30816b0b 10391->10392 10395 7fff3081309c __setargv 44 API calls 10391->10395 10392->10073 10392->10077 10394 7fff30816ae4 10393->10394 10396 7fff30816f0c _FF_MSGBANNER 44 API calls 10394->10396 10397 7fff30816b19 10395->10397 10398 7fff30816aec 10396->10398 10399 7fff30816b30 10397->10399 10400 7fff30816b21 10397->10400 10401 7fff3081334c _lock 3 API calls 10398->10401 10403 7fff30816ba0 _lock 44 API calls 10399->10403 10402 7fff308167e0 _errno 44 API calls 10400->10402 10401->10391 10402->10392 10404 7fff30816b3a 10403->10404 10405 7fff30816b72 10404->10405 10406 7fff30816b43 10404->10406 10408 7fff30813024 free 44 API calls 10405->10408 10407 7fff30817ee4 _lock InitializeCriticalSectionAndSpinCount 10406->10407 10409 7fff30816b50 10407->10409 10414 7fff30816b61 LeaveCriticalSection 10408->10414 10411 7fff30813024 free 44 API calls 10409->10411 10409->10414 10412 7fff30816b5c 10411->10412 10413 7fff308167e0 _errno 44 API calls 10412->10413 10413->10414 10414->10392 10416 7fff3081740a EncodePointer 10415->10416 10416->10416 10417 7fff3081741f 10416->10417 10417->9817 10421 7fff308172d4 10418->10421 10434 7fff30813364 10421->10434 10436 7fff30816d01 10435->10436 10439 7fff30816d33 realloc 10435->10439 10437 7fff30816d0f 10436->10437 10436->10439 10438 7fff308167e0 _errno 44 API calls 10437->10438 10441 7fff30816d14 10438->10441 10440 7fff30816d4b RtlAllocateHeap 10439->10440 10442 7fff30816d2f 10439->10442 10440->10439 10440->10442 10443 7fff308166d8 _invalid_parameter_noinfo 7 API calls 10441->10443 10442->9821 10443->10442 10446 7fff30812e21 10445->10446 10447 7fff30812f42 10445->10447 10448 7fff30812e3c 10446->10448 10449 7fff30813024 free 45 API calls 10446->10449 10447->9849 10450 7fff30812e4a 10448->10450 10451 7fff30813024 free 45 API calls 10448->10451 10449->10448 10452 7fff30812e58 10450->10452 10453 7fff30813024 free 45 API calls 10450->10453 10451->10450 10454 7fff30812e66 10452->10454 10455 7fff30813024 free 45 API calls 10452->10455 10453->10452 10456 7fff30812e74 10454->10456 10458 7fff30813024 free 45 API calls 10454->10458 10455->10454 10457 7fff30812e82 10456->10457 10459 7fff30813024 free 45 API calls 10456->10459 10460 7fff30812e93 10457->10460 10461 7fff30813024 free 45 API calls 10457->10461 10458->10456 10459->10457 10462 7fff30812eab 10460->10462 10463 7fff30813024 free 45 API calls 10460->10463 10461->10460 10464 7fff30816ba0 _lock 45 API calls 10462->10464 10463->10462 10468 7fff30812eb5 10464->10468 10465 7fff30812ee3 10477 7fff30816a80 LeaveCriticalSection 10465->10477 10468->10465 10470 7fff30813024 free 45 API calls 10468->10470 10470->10465 10478 7fff30811ee7 10479 7fff30811f13 RtlAllocateHeap 10478->10479 10480 7fff30811f5c 10479->10480 10481 7fff30811f3d RtlDeleteBoundaryDescriptor 10479->10481 10481->10480 10482 bd0000 10483 bd0183 10482->10483 10484 bd043e VirtualAlloc 10483->10484 10488 bd0462 10484->10488 10485 bd0a7b 10486 bd0531 GetNativeSystemInfo 10486->10485 10487 bd056d VirtualAlloc 10486->10487 10492 bd058b 10487->10492 10488->10485 10488->10486 10489 bd0a00 10489->10485 10490 bd0a56 RtlAddFunctionTable 10489->10490 10490->10485 10491 bd09d9 VirtualProtect 10491->10492 10492->10489 10492->10491 10492->10492

                                                                    Executed Functions

                                                                    Function 00BD0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 8 bd0000-bd0460 call bd0aa8 * 2 VirtualAlloc 30 bd048a-bd0494 8->30 31 bd0462-bd0466 8->31 34 bd049a-bd049e 30->34 35 bd0a91-bd0aa6 30->35 32 bd0468-bd0488 31->32 32->30 32->32 34->35 36 bd04a4-bd04a8 34->36 36->35 37 bd04ae-bd04b2 36->37 37->35 38 bd04b8-bd04bf 37->38 38->35 39 bd04c5-bd04d2 38->39 39->35 40 bd04d8-bd04e1 39->40 40->35 41 bd04e7-bd04f4 40->41 41->35 42 bd04fa-bd0507 41->42 43 bd0509-bd0511 42->43 44 bd0531-bd0567 GetNativeSystemInfo 42->44 45 bd0513-bd0518 43->45 44->35 46 bd056d-bd0589 VirtualAlloc 44->46 47 bd051a-bd051f 45->47 48 bd0521 45->48 49 bd058b-bd059e 46->49 50 bd05a0-bd05ac 46->50 51 bd0523-bd052f 47->51 48->51 49->50 52 bd05af-bd05b2 50->52 51->44 51->45 54 bd05b4-bd05bf 52->54 55 bd05c1-bd05db 52->55 54->52 56 bd05dd-bd05e2 55->56 57 bd061b-bd0622 55->57 60 bd05e4-bd05ea 56->60 58 bd0628-bd062f 57->58 59 bd06db-bd06e2 57->59 58->59 61 bd0635-bd0642 58->61 62 bd06e8-bd06f9 59->62 63 bd0864-bd086b 59->63 64 bd05ec-bd0609 60->64 65 bd060b-bd0619 60->65 61->59 68 bd0648-bd064f 61->68 69 bd0702-bd0705 62->69 66 bd0917-bd0929 63->66 67 bd0871-bd087f 63->67 64->64 64->65 65->57 65->60 70 bd092f-bd0937 66->70 71 bd0a07-bd0a1a 66->71 72 bd090e-bd0911 67->72 73 bd0654-bd0658 68->73 74 bd06fb-bd06ff 69->74 75 bd0707-bd070a 69->75 77 bd093b-bd093f 70->77 96 bd0a1c-bd0a27 71->96 97 bd0a40-bd0a4a 71->97 72->66 76 bd0884-bd08a9 72->76 78 bd06c0-bd06ca 73->78 74->69 79 bd070c-bd071d 75->79 80 bd0788-bd078e 75->80 102 bd08ab-bd08b1 76->102 103 bd0907-bd090c 76->103 83 bd09ec-bd09fa 77->83 84 bd0945-bd095a 77->84 81 bd06cc-bd06d2 78->81 82 bd065a-bd0669 78->82 85 bd071f-bd0720 79->85 86 bd0794-bd07a2 79->86 80->86 81->73 88 bd06d4-bd06d5 81->88 92 bd066b-bd0678 82->92 93 bd067a-bd067e 82->93 83->77 94 bd0a00-bd0a01 83->94 90 bd095c-bd095e 84->90 91 bd097b-bd097d 84->91 95 bd0722-bd0784 85->95 98 bd085d-bd085e 86->98 99 bd07a8 86->99 88->59 104 bd096e-bd0979 90->104 105 bd0960-bd096c 90->105 107 bd097f-bd0981 91->107 108 bd09a2-bd09a4 91->108 106 bd06bd-bd06be 92->106 109 bd068c-bd0690 93->109 110 bd0680-bd068a 93->110 94->71 95->95 111 bd0786 95->111 112 bd0a38-bd0a3e 96->112 100 bd0a4c-bd0a54 97->100 101 bd0a7b-bd0a8e 97->101 98->63 113 bd07ae-bd07d4 99->113 100->101 119 bd0a56-bd0a79 RtlAddFunctionTable 100->119 101->35 116 bd08bb-bd08c8 102->116 117 bd08b3-bd08b9 102->117 103->72 120 bd09be-bd09bf 104->120 105->120 106->78 121 bd0989-bd098b 107->121 122 bd0983-bd0987 107->122 114 bd09ac-bd09bb 108->114 115 bd09a6-bd09aa 108->115 124 bd06a5-bd06a9 109->124 125 bd0692-bd06a3 109->125 123 bd06b6-bd06ba 110->123 111->86 112->97 118 bd0a29-bd0a35 112->118 137 bd0835-bd0839 113->137 138 bd07d6-bd07d9 113->138 114->120 115->120 128 bd08ca-bd08d1 116->128 129 bd08d3-bd08e5 116->129 127 bd08ea-bd08fe 117->127 118->112 119->101 126 bd09c5-bd09cb 120->126 121->108 132 bd098d-bd098f 121->132 122->120 123->106 124->106 133 bd06ab-bd06b3 124->133 125->123 134 bd09cd-bd09d3 126->134 135 bd09d9-bd09e9 VirtualProtect 126->135 127->103 146 bd0900-bd0905 127->146 128->128 128->129 129->127 139 bd0999-bd09a0 132->139 140 bd0991-bd0997 132->140 133->123 134->135 135->83 144 bd083b 137->144 145 bd0844-bd0850 137->145 142 bd07db-bd07e1 138->142 143 bd07e3-bd07f0 138->143 139->126 140->120 147 bd0812-bd082c 142->147 148 bd07fb-bd080d 143->148 149 bd07f2-bd07f9 143->149 144->145 145->113 150 bd0856-bd0857 145->150 146->102 147->137 152 bd082e-bd0833 147->152 148->147 149->148 149->149 150->98 152->138
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392795509.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_bd0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: 428a0afc6cf4f36a8c291f3d335ffcd28366e9c285f6daa084c0474e334aa3bc
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: D372C830528B488BDB19EF18D8857B9B7E1FB98305F10466EE88AD7311EB34D946CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 337 180010ff4-180011016 338 180011020 337->338 339 180011022-180011028 338->339 340 180011814 339->340 341 18001102e-180011034 339->341 342 180011819-18001181f 340->342 343 1800114e2-1800114ec 341->343 344 18001103a-180011040 341->344 342->339 347 180011825-180011832 342->347 345 1800114f5-18001151d 343->345 346 1800114ee-1800114f3 343->346 348 1800113e2-1800114d2 call 180008200 344->348 349 180011046-18001104c 344->349 350 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 345->350 346->350 348->347 358 1800114d8-1800114dd 348->358 349->342 352 180011052-18001120b call 180021040 call 1800291ac 349->352 367 1800117f9-180011803 350->367 363 180011212-1800113d7 call 1800291ac call 18001e2bc 352->363 364 18001120d 352->364 358->339 363->347 372 1800113dd 363->372 364->363 367->347 369 180011805-18001180f 367->369 369->339 372->338
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 373 180021618-180021653 374 180021655-18002165a 373->374 375 180021bf3-180021c25 374->375 376 180021660-180021665 374->376 377 180021c2a-180021c2f 375->377 378 180021a81-180021bda call 180016314 376->378 379 18002166b-180021670 376->379 380 180021838-180021845 377->380 381 180021c35 377->381 388 180021bdf-180021bee 378->388 382 1800219f3-180021a7c call 180001b1c 379->382 383 180021676-18002167b 379->383 381->374 382->374 385 1800219e4-1800219ee 383->385 386 180021681-180021686 383->386 385->374 389 1800219d5-1800219df call 18001dfb4 386->389 390 18002168c-180021691 386->390 388->374 389->374 392 180021697-18002169c 390->392 393 18002190c-1800219a5 call 18000abac 390->393 396 1800216a2-1800216a7 392->396 397 180021846-180021907 call 180021434 392->397 399 1800219aa-1800219b0 393->399 396->377 400 1800216ad-180021835 call 180008200 call 1800166c0 396->400 397->374 402 1800219b2-1800219c6 399->402 403 1800219cb-1800219d0 399->403 400->380 402->374 403->374
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 438 180028c20-180028c53 439 180028c58-180028c5e 438->439 440 180028c64-180028c6a 439->440 441 1800290ae-180029147 call 180013e28 439->441 442 1800290a4-1800290a9 440->442 443 180028c70-180028c76 440->443 451 18002914c-180029152 441->451 442->439 445 180029003-18002909f call 180008ea0 443->445 446 180028c7c-180028c82 443->446 445->439 449 180028c88-180028c8e 446->449 450 180028fab-180028ffe call 1800223c4 446->450 453 180028c94-180028c9a 449->453 454 180028df6-180028e1e 449->454 450->439 455 180029154 451->455 456 18002919c-1800291a8 451->456 460 180028d62-180028ddb call 180016bd8 453->460 461 180028ca0-180028ca6 453->461 454->439 459 180028e24-180028e3c 454->459 455->439 462 180028e42-180028ee6 call 18001d49c 459->462 463 180028ee9-180028f0b 459->463 467 180028de0-180028de6 460->467 464 180028cac-180028cb2 461->464 465 180029159-180029197 call 1800164c8 461->465 462->463 469 180028f94-180028f95 463->469 470 180028f11-180028f92 call 18001d49c 463->470 464->451 471 180028cb8-180028d5d call 180010c00 464->471 465->456 467->456 473 180028dec-180028df1 467->473 476 180028f98-180028f9b 469->476 470->476 471->439 473->439 476->439 479 180028fa1-180028fa6 476->479 479->439
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :G$Q27$_5$yy8x$Mh
                                                                    • API String ID: 0-3587547327
                                                                    • Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
                                                                    • Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
                                                                    • Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 481 18000c608-18000c62d 482 18000c632-18000c637 481->482 483 18000cc8a-18000cc8f 482->483 484 18000c63d 482->484 485 18000cc95-18000cc9a 483->485 486 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 483->486 487 18000c643-18000c648 484->487 488 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 484->488 490 18000ce33-18000ced7 call 180008ad8 call 18001c32c 485->490 491 18000cca0-18000cca5 485->491 514 18000cfb4-18000d00a call 1800194a4 486->514 492 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 487->492 493 18000c64e-18000c653 487->493 515 18000cc28-18000cc85 call 1800194a4 488->515 529 18000cedc-18000cf26 call 1800194a4 490->529 497 18000cd35-18000cdce call 18000703c call 18001c32c 491->497 498 18000ccab-18000ccb0 491->498 492->482 500 18000c9c1-18000caa0 call 18002870c call 18001c32c call 1800194a4 493->500 501 18000c659-18000c65e 493->501 534 18000cdd3-18000ce2e call 1800194a4 497->534 508 18000ccb6-18000cd30 call 180021434 498->508 509 18000d00f-18000d014 498->509 500->482 511 18000c664-18000c669 501->511 512 18000c8bb-18000c963 call 180002610 call 18001c32c 501->512 508->482 509->482 517 18000d01a-18000d020 509->517 521 18000c7b2-18000c85a call 180019618 call 18001c32c 511->521 522 18000c66f-18000c674 511->522 545 18000c968-18000c9bc call 1800194a4 512->545 514->509 515->482 554 18000c85f-18000c8b6 call 1800194a4 521->554 522->509 532 18000c67a-18000c73d call 180002178 call 18001c32c 522->532 529->482 555 18000c742-18000c7ad call 1800194a4 532->555 534->482 545->482 554->482 555->482
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: xDC
                                                                    • API String ID: 0-90241050
                                                                    • Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
                                                                    • Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
                                                                    • Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30813EEC Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
                                                                    • String ID:
                                                                    • API String ID: 994105223-0
                                                                    • Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                    • Instruction ID: 10d07d7ea2ae2a2c753ed8685fc398300aca6acfac677d8f0d293aa657ab20ff
                                                                    • Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
                                                                    • Instruction Fuzzy Hash: 78419F22E0C75786EA689B12A54403977E5FF88BD8F585436DA4E07B94CE3CF492E70C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30812154 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 187 7fff30812154-7fff30812160 188 7fff308121e1-7fff308121e3 187->188 189 7fff30812162-7fff3081216b call 7fff30814110 187->189 191 7fff308121e5-7fff308121ed 188->191 192 7fff3081221e-7fff30812221 188->192 197 7fff3081216d-7fff3081216f 189->197 201 7fff30812174-7fff3081217b call 7fff30812fa0 189->201 196 7fff308121f3-7fff30812201 191->196 191->197 193 7fff30812223-7fff30812232 call 7fff30812c88 call 7fff30813108 192->193 194 7fff30812279-7fff3081227c 192->194 213 7fff30812237-7fff3081223d 193->213 198 7fff30812285 194->198 199 7fff3081227e-7fff30812280 call 7fff30812f50 194->199 202 7fff30812203 call 7fff308136d0 196->202 203 7fff30812208-7fff3081220b 196->203 204 7fff3081228a-7fff3081228f 197->204 198->204 199->198 214 7fff30812184-7fff308121a9 call 7fff308140a0 GetCommandLineA call 7fff30813eec call 7fff30813758 201->214 215 7fff3081217d-7fff30812182 call 7fff3081415c 201->215 202->203 203->198 209 7fff3081220d-7fff3081221c call 7fff30813a48 call 7fff30812c94 call 7fff3081415c 203->209 209->198 213->197 219 7fff30812243-7fff30812257 FlsSetValue 213->219 236 7fff308121b2-7fff308121b9 call 7fff30813df4 214->236 237 7fff308121ab-7fff308121b0 call 7fff30812c94 214->237 215->197 223 7fff3081226f-7fff30812274 call 7fff30813024 219->223 224 7fff30812259-7fff3081226d call 7fff30812cbc GetCurrentThreadId 219->224 223->197 224->198 242 7fff308121da-7fff308121df call 7fff30813a48 236->242 243 7fff308121bb-7fff308121c2 call 7fff30813aec 236->243 237->215 242->237 243->242 248 7fff308121c4-7fff308121c6 call 7fff3081347c 243->248 250 7fff308121cb-7fff308121cd 248->250 250->242 251 7fff308121cf-7fff308121d5 250->251 251->198
                                                                    APIs
                                                                      • Part of subcall function 00007FFF30814110: HeapCreate.KERNELBASE(?,?,?,?,00007FFF30812169), ref: 00007FFF30814122
                                                                      • Part of subcall function 00007FFF30814110: HeapSetInformation.KERNEL32 ref: 00007FFF3081414C
                                                                    • _RTC_Initialize.LIBCMT ref: 00007FFF30812184
                                                                    • GetCommandLineA.KERNEL32 ref: 00007FFF30812189
                                                                      • Part of subcall function 00007FFF30813EEC: GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FFF3081219B), ref: 00007FFF30813F1B
                                                                      • Part of subcall function 00007FFF30813EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF3081219B), ref: 00007FFF30813F5B
                                                                      • Part of subcall function 00007FFF30813758: GetStartupInfoA.KERNEL32 ref: 00007FFF3081377D
                                                                    • __setargv.LIBCMT ref: 00007FFF308121B2
                                                                    • _cinit.LIBCMT ref: 00007FFF308121C6
                                                                      • Part of subcall function 00007FFF30812C94: FlsFree.KERNEL32(?,?,?,?,00007FFF30812217), ref: 00007FFF30812CA3
                                                                      • Part of subcall function 00007FFF30812C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF30812217), ref: 00007FFF30816A32
                                                                      • Part of subcall function 00007FFF30812C94: free.LIBCMT ref: 00007FFF30816A3B
                                                                      • Part of subcall function 00007FFF30812C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF30812217), ref: 00007FFF30816A5B
                                                                      • Part of subcall function 00007FFF30813108: Sleep.KERNEL32(?,?,0000000A,00007FFF30812DA3,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081314D
                                                                    • FlsSetValue.KERNEL32 ref: 00007FFF3081224C
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FFF30812260
                                                                    • free.LIBCMT ref: 00007FFF3081226F
                                                                      • Part of subcall function 00007FFF30813024: HeapFree.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081303A
                                                                      • Part of subcall function 00007FFF30813024: _errno.LIBCMT ref: 00007FFF30813044
                                                                      • Part of subcall function 00007FFF30813024: GetLastError.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081304C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
                                                                    • String ID:
                                                                    • API String ID: 1549890855-0
                                                                    • Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                    • Instruction ID: ed9545e77df252268e333053169244c879f9559b200b8cbb6ffa3d93a19f0e68
                                                                    • Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
                                                                    • Instruction Fuzzy Hash: 1A311C20E0C603A2FA6CB7B1680267E61E95F5575CF144537DA1E853C6EE2CF464F21E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30814CD4 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _getptd.LIBCMT ref: 00007FFF30814CF3
                                                                      • Part of subcall function 00007FFF3081497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFF30814D0E,?,?,?,?,?,00007FFF30814EE3), ref: 00007FFF308149A6
                                                                      • Part of subcall function 00007FFF3081309C: Sleep.KERNEL32(?,?,00000000,00007FFF30816B19,?,?,00000000,00007FFF30816BC3,?,?,?,?,?,?,00000000,00007FFF30812DC8), ref: 00007FFF308130D2
                                                                    • free.LIBCMT ref: 00007FFF30814D7F
                                                                      • Part of subcall function 00007FFF30813024: HeapFree.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081303A
                                                                      • Part of subcall function 00007FFF30813024: _errno.LIBCMT ref: 00007FFF30813044
                                                                      • Part of subcall function 00007FFF30813024: GetLastError.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081304C
                                                                    • _lock.LIBCMT ref: 00007FFF30814DB7
                                                                    • free.LIBCMT ref: 00007FFF30814E67
                                                                    • free.LIBCMT ref: 00007FFF30814E97
                                                                    • _errno.LIBCMT ref: 00007FFF30814E9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
                                                                    • String ID:
                                                                    • API String ID: 1264244385-0
                                                                    • Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                    • Instruction ID: ceb8d12e25ff314b516bc0661f15e88a276513b1db7d2d89af17de5996cb357f
                                                                    • Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
                                                                    • Instruction Fuzzy Hash: 73519031A0868286E7589F65E400279B7E5FF84B6CF245237DA9E437A5CF7CE401E708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30816C34 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 502529563-0
                                                                    • Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                    • Instruction ID: f404e71b345ac9abe194b5b407ada8a3b787f89094cea8edbec19f46aa0c816f
                                                                    • Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
                                                                    • Instruction Fuzzy Hash: 03117020E0974385FA596FA1A81067A22E0DF84B98F044636E99D077C2CE3CE461E759
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30811EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateBoundaryDeleteDescriptorHeap
                                                                    • String ID: vb4vcW2kAW3Twaz?30
                                                                    • API String ID: 254689257-4179232793
                                                                    • Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                    • Instruction ID: 55635d6ab8e8edda728b1dcc34810195d3016008e0f6d086653d3bc262e7f2a7
                                                                    • Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
                                                                    • Instruction Fuzzy Hash: F421253660CEC286E730CB15E4543AA77E9FB88748F404176CA8D83765DF7DA502EB08
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30812FA0 Relevance: 4.5, APIs: 3, Instructions: 35memorythreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00007FFF308136F0: _initp_misc_winsig.LIBCMT ref: 00007FFF30813729
                                                                      • Part of subcall function 00007FFF308136F0: EncodePointer.KERNEL32(?,?,?,00007FFF30812FAB,?,?,?,00007FFF30812179), ref: 00007FFF30813745
                                                                    • FlsAlloc.KERNEL32(?,?,?,00007FFF30812179), ref: 00007FFF30812FBB
                                                                      • Part of subcall function 00007FFF30813108: Sleep.KERNEL32(?,?,0000000A,00007FFF30812DA3,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081314D
                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FFF30812179), ref: 00007FFF30812FEC
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FFF30813000
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
                                                                    • String ID:
                                                                    • API String ID: 54287522-0
                                                                    • Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                    • Instruction ID: 159ad8248fa37768c77eb4785dfa6536471e04df76b8789691ac5bd29f2e3a5e
                                                                    • Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
                                                                    • Instruction Fuzzy Hash: FC018160E08A03C2FB5DAB71980527862E5AF08768F040236D53D963E1EF2CE495F22C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30812050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 600 7fff30812050-7fff3081207f call 7fff307d1000 ExitProcess
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID: JKvDDasqwOPvGXZdqW
                                                                    • API String ID: 621844428-4059861069
                                                                    • Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                    • Instruction ID: 956c447d0547eff3b3d8e96d942fce6c47f95c5f35c41c594640498024f696af
                                                                    • Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
                                                                    • Instruction Fuzzy Hash: D1D0C925A18B8282DA20AB50F80535A73E4FB8974CFC10232D5CC46728DF7CE296DB18
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30816CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _errno.LIBCMT ref: 00007FFF30816D0F
                                                                      • Part of subcall function 00007FFF308166D8: DecodePointer.KERNEL32 ref: 00007FFF308166FF
                                                                    • RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FFF3081313B,?,?,0000000A,00007FFF30812DA3,?,?,?,00007FFF30812DFF), ref: 00007FFF30816D58
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateDecodeHeapPointer_errno
                                                                    • String ID:
                                                                    • API String ID: 15861996-0
                                                                    • Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                    • Instruction ID: 03c5ece45ff06d945158a011f4ab92470a58c1dd05ad5ae994389abfbfb91521
                                                                    • Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
                                                                    • Instruction Fuzzy Hash: BB11CE62B0D24386FB594F25F60477A62E19F807ECF088A36CE9D06BC4DF6DA460D608
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308136F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _initp_misc_winsig.LIBCMT ref: 00007FFF30813729
                                                                      • Part of subcall function 00007FFF3081755C: EncodePointer.KERNEL32(?,?,?,?,00007FFF3081373E,?,?,?,00007FFF30812FAB,?,?,?,00007FFF30812179), ref: 00007FFF30817567
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF30812FAB,?,?,?,00007FFF30812179), ref: 00007FFF30813745
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer$_initp_misc_winsig
                                                                    • String ID:
                                                                    • API String ID: 190222155-0
                                                                    • Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                    • Instruction ID: 635e0cdbf0d0749ed50a2b022a0418cd1152e1d5e27f4ac38091ba3aa5cbb75c
                                                                    • Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
                                                                    • Instruction Fuzzy Hash: 29F0A500E8864340E90CFB626C620FD12E00F96B88F88207AE81F1A393DD2CE561E34C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30814110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$CreateInformation
                                                                    • String ID:
                                                                    • API String ID: 1774340351-0
                                                                    • Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                    • Instruction ID: ea5b7ace72e6f820050528603f724c6e33fad1677a84c52149df96571c7022a4
                                                                    • Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
                                                                    • Instruction Fuzzy Hash: 3CE08675F2578293F7989B25E819B6672E4FF88344F80503AEA4E02B94DF3CD055CB04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308173F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF308134AF,?,?,?,00007FFF308121CB), ref: 00007FFF3081740D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                    • Instruction ID: 2739dfc7ea1f8aa868d46876f16864415edac79ed4dae9e880b32ae58e374c69
                                                                    • Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
                                                                    • Instruction Fuzzy Hash: BAD05B32F5458182DB159F25F59016D63E4EF84798F588032D65C07745DD3CC566C704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30813108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(?,?,0000000A,00007FFF30812DA3,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081314D
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep_errno
                                                                    • String ID:
                                                                    • API String ID: 1068366078-0
                                                                    • Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                    • Instruction ID: 5a39ff96d505641beb92ff7fc489172bf5fab4e114e2961c05027fb442ea003a
                                                                    • Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
                                                                    • Instruction Fuzzy Hash: DE01DB32A14B4185EA488F16A800029B7E5FF84FD4F480132EE5D03B50DF3CE891C708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FFF30816C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF30816C64
                                                                      • Part of subcall function 00007FFF30816C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF308130C0,?,?,00000000,00007FFF30816B19,?,?,00000000,00007FFF30816BC3), ref: 00007FFF30816C89
                                                                      • Part of subcall function 00007FFF30816C34: _errno.LIBCMT ref: 00007FFF30816CAD
                                                                      • Part of subcall function 00007FFF30816C34: _errno.LIBCMT ref: 00007FFF30816CB8
                                                                    • Sleep.KERNEL32(?,?,00000000,00007FFF30816B19,?,?,00000000,00007FFF30816BC3,?,?,?,?,?,?,00000000,00007FFF30812DC8), ref: 00007FFF308130D2
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$AllocateHeapSleep
                                                                    • String ID:
                                                                    • API String ID: 4153772858-0
                                                                    • Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                    • Instruction ID: aa5b59a1aa3600c14c715c30cb740edab270dd1379667ec037bcc5c2ac0989aa
                                                                    • Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
                                                                    • Instruction Fuzzy Hash: 7EF02B32A09B8686EA54DF16B44003EB3E4FF88B94F440136EA9D03755DF3CE892DB08
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00007FFF3081D0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D0F5
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D111
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D139
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D142
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D158
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D161
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D177
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D180
                                                                    • GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D19E
                                                                    • EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D1A7
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D1D9
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D1E8
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D240
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D260
                                                                    • DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF308170D4,?,?,?,?,?,00007FFF30817194), ref: 00007FFF3081D279
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                    • API String ID: 3085332118-232180764
                                                                    • Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                    • Instruction ID: 5a4f0c63967db513858f1a115beba8be283b7cbbbfc566e2890b1685f6f16ab5
                                                                    • Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
                                                                    • Instruction Fuzzy Hash: AD511920E0AB4390FD68DB52B84027963E4AF49B8CF840037DD5E477A5EE3CF486E208
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: String$free$ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1446610345-0
                                                                    • Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                    • Instruction ID: d0b22121586e4505bf797aa8365836cb136006fa1dfec55d8b3a588506f8fecb
                                                                    • Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
                                                                    • Instruction Fuzzy Hash: E9F1E032A08682CBE7688F2494411A977E1FF48BACF544A36EA5D57BD4CF3CE940D748
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
                                                                    • String ID: Norwegian-Nynorsk
                                                                    • API String ID: 2273835618-461349085
                                                                    • Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                    • Instruction ID: e25371e84a2bf4bece68d4516490dc9dea4ac079f7e35e880ab1f72d01a9e635
                                                                    • Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
                                                                    • Instruction Fuzzy Hash: 73614862A0879686FB699F21D4423B927E0EF44B8CF484137DA4D867D5DF7CE940E309
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081B5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: FormatTime$__ascii_stricmpfree
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 2252689280-3206640213
                                                                    • Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                    • Instruction ID: e4b8cc98dc5863217f7d32c645123540872abf734c17dcc07fb666f2880d61bb
                                                                    • Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
                                                                    • Instruction Fuzzy Hash: 57F1D222A1D6A286E77C8F2C94505BC67E1FF04B8CF449533EA8D47B85DE3DA845E309
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30816F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF30817194,?,?,?,?,00007FFF30816C69,?,?,00000000,00007FFF308130C0), ref: 00007FFF30816FCF
                                                                    • GetStdHandle.KERNEL32(?,?,?,?,?,00007FFF30817194,?,?,?,?,00007FFF30816C69,?,?,00000000,00007FFF308130C0), ref: 00007FFF308170DB
                                                                    • WriteFile.KERNEL32 ref: 00007FFF30817115
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: File$HandleModuleNameWrite
                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                    • API String ID: 3784150691-4022980321
                                                                    • Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                    • Instruction ID: 501d2ed64d9eef46ccd0d337a457db3505ed89a6ab9410ad9c4f5af1478b77a8
                                                                    • Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
                                                                    • Instruction Fuzzy Hash: FE51CE21B18A4342FB28DB25A9567BB22E5BF4839CF80453BDD4D46BD6CE3CE145E208
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308120E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 3778485334-0
                                                                    • Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                    • Instruction ID: b1ecc37e4143d1014f3fb454b7afa45ed5e87cb27a71fdde42e9971347f5a317
                                                                    • Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
                                                                    • Instruction Fuzzy Hash: B431A035908F4786EB549B55F8443AA73E8FF84758F900136DA8D427A5DF7CE0A8EB08
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081E6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lock.LIBCMT ref: 00007FFF3081E6EB
                                                                    • free.LIBCMT ref: 00007FFF3081E7E2
                                                                      • Part of subcall function 00007FFF30813024: HeapFree.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081303A
                                                                      • Part of subcall function 00007FFF30813024: _errno.LIBCMT ref: 00007FFF30813044
                                                                      • Part of subcall function 00007FFF30813024: GetLastError.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081304C
                                                                    • ___lc_codepage_func.LIBCMT ref: 00007FFF3081E76B
                                                                      • Part of subcall function 00007FFF30816550: RtlCaptureContext.KERNEL32 ref: 00007FFF3081658F
                                                                      • Part of subcall function 00007FFF30816550: IsDebuggerPresent.KERNEL32 ref: 00007FFF3081662D
                                                                      • Part of subcall function 00007FFF30816550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF30816637
                                                                      • Part of subcall function 00007FFF30816550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF30816642
                                                                      • Part of subcall function 00007FFF30816550: GetCurrentProcess.KERNEL32 ref: 00007FFF30816658
                                                                      • Part of subcall function 00007FFF30816550: TerminateProcess.KERNEL32 ref: 00007FFF30816666
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
                                                                    • String ID:
                                                                    • API String ID: 178205154-0
                                                                    • Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                    • Instruction ID: 51d3e42f3ce13152830f841edc909e343cdaab8635c10cd3c9f9fb747f0fe2fe
                                                                    • Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
                                                                    • Instruction Fuzzy Hash: 0AD1C432A0C28285E7289F25E45077A7BE6BF95748F444137DA8E63B95CF3CE851E708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081DF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF3081E1C2), ref: 00007FFF3081DFF2
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF3081E1C2), ref: 00007FFF3081E004
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF3081E1C2), ref: 00007FFF3081E04F
                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF3081E1C2), ref: 00007FFF3081E0E1
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF3081E1C2), ref: 00007FFF3081E11B
                                                                    • free.LIBCMT ref: 00007FFF3081E12F
                                                                      • Part of subcall function 00007FFF30816C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF30816C64
                                                                      • Part of subcall function 00007FFF30816C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF308130C0,?,?,00000000,00007FFF30816B19,?,?,00000000,00007FFF30816BC3), ref: 00007FFF30816C89
                                                                      • Part of subcall function 00007FFF30816C34: _errno.LIBCMT ref: 00007FFF30816CAD
                                                                      • Part of subcall function 00007FFF30816C34: _errno.LIBCMT ref: 00007FFF30816CB8
                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF3081E1C2), ref: 00007FFF3081E145
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
                                                                    • String ID:
                                                                    • API String ID: 2309262205-0
                                                                    • Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                    • Instruction ID: e7e24f5492a4cf74bb0956f81511d98342fb7cde7b6f64f7a54671b12eaec7d3
                                                                    • Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
                                                                    • Instruction Fuzzy Hash: 7951A232A08A4696E7689F21984067973E6FF487ACF540637DA5E03BD4CF7CE850D708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081FCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointer_lock
                                                                    • String ID:
                                                                    • API String ID: 2175075375-0
                                                                    • Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                    • Instruction ID: 380c72e49342fe781e142ea8b2a21f8dabd302b9e87200f804e22ae61b147207
                                                                    • Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
                                                                    • Instruction Fuzzy Hash: 01318D22B0875382FB19AE61A45277A62D1AF84788F048536DF4D4BB87DF3CE421E708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30816550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                                    • String ID:
                                                                    • API String ID: 1269745586-0
                                                                    • Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                    • Instruction ID: ce6c7696a6695557d0fb900a817b0242b8b398c4496888f24300d7babec78645
                                                                    • Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
                                                                    • Instruction Fuzzy Hash: E3311A32A08B8692EA248B54E4413AAB3E4FB98748F500136DACD43B99EF7CD159DF04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                    • Instruction ID: 5229d050fdee66962460fba5f8229d4312a44cc83ed66f561127b0cb3b85a987
                                                                    • Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
                                                                    • Instruction Fuzzy Hash: 50218121B48A47A2FA68CB20E8412B973E4FF4878CF444132DA4D47795EF2CE555E708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1h$I-$IY$QL&$li7$o
                                                                    • API String ID: 0-890095520
                                                                    • Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                    • Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
                                                                    • Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
                                                                    • Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1$ {,$"$$-%$Rku$ i
                                                                    • API String ID: 0-1845893065
                                                                    • Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                    • Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
                                                                    • Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
                                                                    • Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: VUS/$YV~$p$@$EX$OX
                                                                    • API String ID: 0-2743166816
                                                                    • Opcode ID: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
                                                                    • Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
                                                                    • Opcode Fuzzy Hash: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
                                                                    • Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30814558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                    • String ID:
                                                                    • API String ID: 1445889803-0
                                                                    • Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                    • Instruction ID: 0e6a68f043d9d666f4d4280a8e7155384063b17d6ae4ca7cb6ebccff122f5e5e
                                                                    • Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
                                                                    • Instruction Fuzzy Hash: 61018821619E4792EB408F21F44066573E4FB45B94F446532DE5E47790DF3CD8A5A704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale$_getptd
                                                                    • String ID:
                                                                    • API String ID: 1743167714-0
                                                                    • Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                    • Instruction ID: 3e4e65a4f9f2335a8e7031d27de633a4fe8bbbe7b8406fb111953485f97cbbba
                                                                    • Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
                                                                    • Instruction Fuzzy Hash: 30613872B08A8697EA6C9A61D9463E9B3E1FB9830AF40013AC71D87391CF3CE464D705
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >97"$?$LsRW$~x
                                                                    • API String ID: 0-2554301858
                                                                    • Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
                                                                    • Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
                                                                    • Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081AF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$__tzset
                                                                    • String ID:
                                                                    • API String ID: 3587134695-0
                                                                    • Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                    • Instruction ID: 023a10f98caeeaf07819112f632d6b7aaaac3f8b6496788f0894add7cb267158
                                                                    • Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
                                                                    • Instruction Fuzzy Hash: 59028232A08A82C7E76C8F6D909017D27E1FF88789F24403BD74E46791CE38E954E709
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081FB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointer_lock
                                                                    • String ID:
                                                                    • API String ID: 2175075375-0
                                                                    • Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                    • Instruction ID: 4602e26fc1ca70f552c0bbc29f3e120ac474c87f6bdcf67c18b45120939708a5
                                                                    • Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
                                                                    • Instruction Fuzzy Hash: B431AD21F0CB6742FB6D9A61956177A61C1AF5438CF044536EE8D87BC7EE2CE410E648
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081D318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlCaptureContext.KERNEL32 ref: 00007FFF3081D357
                                                                    • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF3081D39D
                                                                    • UnhandledExceptionFilter.KERNEL32 ref: 00007FFF3081D3A8
                                                                      • Part of subcall function 00007FFF30816F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF30817194,?,?,?,?,00007FFF30816C69,?,?,00000000,00007FFF308130C0), ref: 00007FFF30816FCF
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                                                                    • String ID:
                                                                    • API String ID: 2731829486-0
                                                                    • Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                    • Instruction ID: 933f01d30ef1f29a04b450c4cb39a2418dd4b411eedbfaab2dff345ef3bc3c73
                                                                    • Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
                                                                    • Instruction Fuzzy Hash: F2115129A28A8792E7289B50F8543BA63E9FF8530CF44013AE58D02B95DF3DE015DB19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *4$5F$S^r
                                                                    • API String ID: 0-3556444313
                                                                    • Opcode ID: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
                                                                    • Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
                                                                    • Opcode Fuzzy Hash: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
                                                                    • Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: &lz2$'~W$<x<
                                                                    • API String ID: 0-2268522332
                                                                    • Opcode ID: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
                                                                    • Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
                                                                    • Opcode Fuzzy Hash: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
                                                                    • Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000BDD0 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o6.$s8Q${Fl&
                                                                    • API String ID: 0-2665016659
                                                                    • Opcode ID: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                    • Instruction ID: 345269621f88c341702fdf3610a73dbdf39058324611beb6fba665c489d4de0b
                                                                    • Opcode Fuzzy Hash: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
                                                                    • Instruction Fuzzy Hash: 48E1D7705087C88BDBFEDF64C88A7DA7BACFB44708F105219EA4A8E258DB745749CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$T]0$ba^2
                                                                    • API String ID: 0-1276948933
                                                                    • Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                    • Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
                                                                    • Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
                                                                    • Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6w5*$EDO$V
                                                                    • API String ID: 0-1640223502
                                                                    • Opcode ID: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
                                                                    • Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
                                                                    • Opcode Fuzzy Hash: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
                                                                    • Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Y()$i_"o$|Y
                                                                    • API String ID: 0-942011364
                                                                    • Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                    • Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
                                                                    • Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
                                                                    • Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: O)$,G$-
                                                                    • API String ID: 0-23008916
                                                                    • Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                    • Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
                                                                    • Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
                                                                    • Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;U[$L$Q#
                                                                    • API String ID: 0-2933747092
                                                                    • Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                    • Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
                                                                    • Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
                                                                    • Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5($<:*$qwX
                                                                    • API String ID: 0-3944236288
                                                                    • Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                    • Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
                                                                    • Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
                                                                    • Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 79&$s`~$v;
                                                                    • API String ID: 0-3844292866
                                                                    • Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                    • Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
                                                                    • Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
                                                                    • Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: wQ_$1_$ac
                                                                    • API String ID: 0-1037425278
                                                                    • Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                    • Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
                                                                    • Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
                                                                    • Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )K$U|$|1-
                                                                    • API String ID: 0-2543966960
                                                                    • Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                    • Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
                                                                    • Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
                                                                    • Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6|$6`d$H~z
                                                                    • API String ID: 0-1702722476
                                                                    • Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                    • Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
                                                                    • Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
                                                                    • Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d~$`5$t>
                                                                    • API String ID: 0-1282322184
                                                                    • Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                    • Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
                                                                    • Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
                                                                    • Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #St$JYr$hmn
                                                                    • API String ID: 0-1556749129
                                                                    • Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                    • Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
                                                                    • Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
                                                                    • Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TGA$K$W}
                                                                    • API String ID: 0-588348707
                                                                    • Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                    • Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
                                                                    • Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
                                                                    • Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :1,$@H${C=
                                                                    • API String ID: 0-2737386091
                                                                    • Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                    • Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
                                                                    • Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
                                                                    • Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: prP$q<C$uL
                                                                    • API String ID: 0-1414207395
                                                                    • Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                    • Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
                                                                    • Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
                                                                    • Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: :00D$Kl$(R'
                                                                    • API String ID: 0-3661897330
                                                                    • Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                    • Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
                                                                    • Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
                                                                    • Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30815944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _getptd.LIBCMT ref: 00007FFF3081597E
                                                                      • Part of subcall function 00007FFF30816550: RtlCaptureContext.KERNEL32 ref: 00007FFF3081658F
                                                                      • Part of subcall function 00007FFF30816550: IsDebuggerPresent.KERNEL32 ref: 00007FFF3081662D
                                                                      • Part of subcall function 00007FFF30816550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF30816637
                                                                      • Part of subcall function 00007FFF30816550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF30816642
                                                                      • Part of subcall function 00007FFF30816550: GetCurrentProcess.KERNEL32 ref: 00007FFF30816658
                                                                      • Part of subcall function 00007FFF30816550: TerminateProcess.KERNEL32 ref: 00007FFF30816666
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                    • String ID: C
                                                                    • API String ID: 1583075380-1037565863
                                                                    • Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                    • Instruction ID: a7e10e157d98c2b38bc32d1c0c8eaf6a21813bb937aa81ecf3268a1e005bd056
                                                                    • Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
                                                                    • Instruction Fuzzy Hash: B651B322A1D69281FB689B21A5517BB63D0FF84B98F448033DE4E47B89DF3CD015D708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                    • Instruction ID: f28e3dedfb9e48dc136043aad26a8a75a1747e10024c91d42387dd3de5dc7acc
                                                                    • Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
                                                                    • Instruction Fuzzy Hash: 91215C32B08A8296EB6C9B29D9463E973E0FF88749F044136C61D87785DF7CE464DA04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                    • Instruction ID: de593364a1f928731769f2312c6f600b38c85c53fc2c5b148f6655d3a1af2f36
                                                                    • Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
                                                                    • Instruction Fuzzy Hash: D521A132B08A8296EB28CF20E4463E9B3E0FB88B88F444136DA5D87754CF3CE565D704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$Y}
                                                                    • API String ID: 0-941771097
                                                                    • Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                    • Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
                                                                    • Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
                                                                    • Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 7;}~$?C
                                                                    • API String ID: 0-2633536567
                                                                    • Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                    • Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
                                                                    • Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
                                                                    • Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5"*$Wu
                                                                    • API String ID: 0-3407213400
                                                                    • Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                    • Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
                                                                    • Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
                                                                    • Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: F/|$]M
                                                                    • API String ID: 0-4182351379
                                                                    • Opcode ID: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
                                                                    • Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
                                                                    • Opcode Fuzzy Hash: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
                                                                    • Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;SH$nK
                                                                    • API String ID: 0-1681473137
                                                                    • Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                    • Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
                                                                    • Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
                                                                    • Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$z
                                                                    • API String ID: 0-3532108746
                                                                    • Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                    • Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
                                                                    • Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
                                                                    • Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g/?$~l;
                                                                    • API String ID: 0-1448562259
                                                                    • Opcode ID: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
                                                                    • Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
                                                                    • Opcode Fuzzy Hash: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
                                                                    • Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JM$S
                                                                    • API String ID: 0-422059844
                                                                    • Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                    • Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
                                                                    • Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
                                                                    • Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: \4t$sT>
                                                                    • API String ID: 0-514966222
                                                                    • Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                    • Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
                                                                    • Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
                                                                    • Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6 zT$lh
                                                                    • API String ID: 0-3667112246
                                                                    • Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                    • Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
                                                                    • Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
                                                                    • Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2Q'$t<p
                                                                    • API String ID: 0-2959822804
                                                                    • Opcode ID: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
                                                                    • Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
                                                                    • Opcode Fuzzy Hash: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
                                                                    • Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 95s$\`s
                                                                    • API String ID: 0-3495284040
                                                                    • Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                    • Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
                                                                    • Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
                                                                    • Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3*$qMu
                                                                    • API String ID: 0-4093015089
                                                                    • Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                    • Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
                                                                    • Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
                                                                    • Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$"n&E
                                                                    • API String ID: 0-1188898577
                                                                    • Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                    • Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
                                                                    • Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
                                                                    • Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Bw~$fy
                                                                    • API String ID: 0-1663007907
                                                                    • Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                    • Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
                                                                    • Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
                                                                    • Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: /0$XyLe
                                                                    • API String ID: 0-3562702181
                                                                    • Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                    • Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
                                                                    • Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
                                                                    • Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >I$>I
                                                                    • API String ID: 0-3948471910
                                                                    • Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                    • Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
                                                                    • Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
                                                                    • Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %'#$'1O"
                                                                    • API String ID: 0-3508158491
                                                                    • Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                    • Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
                                                                    • Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
                                                                    • Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {H2}$}i#c
                                                                    • API String ID: 0-1724349491
                                                                    • Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                    • Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
                                                                    • Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
                                                                    • Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4V$so
                                                                    • API String ID: 0-1060102820
                                                                    • Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                    • Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
                                                                    • Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
                                                                    • Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: F+'$O$
                                                                    • API String ID: 0-4064122715
                                                                    • Opcode ID: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
                                                                    • Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
                                                                    • Opcode Fuzzy Hash: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
                                                                    • Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 1$bO6
                                                                    • API String ID: 0-3242911120
                                                                    • Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                    • Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
                                                                    • Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
                                                                    • Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )j-J$\rba
                                                                    • API String ID: 0-105394296
                                                                    • Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                    • Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
                                                                    • Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
                                                                    • Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5T$7c
                                                                    • API String ID: 0-2666566123
                                                                    • Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                    • Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
                                                                    • Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
                                                                    • Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ",)x$PX
                                                                    • API String ID: 0-926260526
                                                                    • Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                    • Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
                                                                    • Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
                                                                    • Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                    • Instruction ID: e2eba9f3e8d7ffb15345d189172109fe24862764f93e5db94ad2c1d3c6c24777
                                                                    • Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
                                                                    • Instruction Fuzzy Hash: CD119432A0C58785EA749A64E4A27F923D0EF8478CF444533DA8D86381CF2CE546D30D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                    • Instruction ID: 52e046f503ca55755dcedd0c7fc67c1be5e16ef644f33a4541e7f26eff23cf28
                                                                    • Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
                                                                    • Instruction Fuzzy Hash: 14112A72A086068BFB5C8B31C0963B937E0EF94B0DF144436CA0D463C6CB7CD594E689
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFF30815A8C), ref: 00007FFF3081C8FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                    • Instruction ID: 9aeef72b1fba791cdf21a9516a69c01afafacbf9f8c27e0b86c64db5799f353f
                                                                    • Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
                                                                    • Instruction Fuzzy Hash: BBF08C62E0890A86FB1C8A31C4173BA6BD1AF94B4CF188033C64D423C6CF6CD591E249
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081DF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale_getptd
                                                                    • String ID:
                                                                    • API String ID: 3731964398-0
                                                                    • Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                    • Instruction ID: e01cc026544276c1ce7f713ad188ab45aec0834cd2f98a5bf93909154dd2663b
                                                                    • Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
                                                                    • Instruction Fuzzy Hash: 61F08922A187C083D7518B15F04455AE761FBC4BE4F584221EB9D17B59CF3CC956CF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081E1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                    • Instruction ID: db678e90e70eaef9750678c18393457495cc2a5e7aebebe15c96c220e7eee998
                                                                    • Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
                                                                    • Instruction Fuzzy Hash: 2DE06521A0C98281F630D710E8117AA67D4FF9875CF800233E69D467A5DE3CE255DB08
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081C7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLocalesSystem
                                                                    • String ID:
                                                                    • API String ID: 2099609381-0
                                                                    • Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                    • Instruction ID: 945418c73cd94776f2cb5e5c856c4676a8d1f02d8f7d2b7ac7ef5ac88eefc1ec
                                                                    • Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
                                                                    • Instruction Fuzzy Hash: 64E04F66E0460583EB088B61D4453646691EF98B0DF088032CA0C022958F7CC596D644
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: cYte
                                                                    • API String ID: 0-489798635
                                                                    • Opcode ID: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
                                                                    • Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
                                                                    • Opcode Fuzzy Hash: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
                                                                    • Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Pc
                                                                    • API String ID: 0-2609325410
                                                                    • Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                    • Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
                                                                    • Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
                                                                    • Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g >
                                                                    • API String ID: 0-3862707646
                                                                    • Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                    • Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
                                                                    • Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
                                                                    • Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2
                                                                    • API String ID: 0-2012265552
                                                                    • Opcode ID: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
                                                                    • Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
                                                                    • Opcode Fuzzy Hash: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
                                                                    • Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Wcl
                                                                    • API String ID: 0-2623992880
                                                                    • Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                    • Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
                                                                    • Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
                                                                    • Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ws8
                                                                    • API String ID: 0-2196714860
                                                                    • Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                    • Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
                                                                    • Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
                                                                    • Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: p/g
                                                                    • API String ID: 0-1786412500
                                                                    • Opcode ID: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
                                                                    • Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
                                                                    • Opcode Fuzzy Hash: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
                                                                    • Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: %
                                                                    • API String ID: 0-3714942587
                                                                    • Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                    • Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
                                                                    • Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
                                                                    • Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: A.}
                                                                    • API String ID: 0-2880059976
                                                                    • Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                    • Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
                                                                    • Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
                                                                    • Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0#
                                                                    • API String ID: 0-456275806
                                                                    • Opcode ID: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
                                                                    • Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
                                                                    • Opcode Fuzzy Hash: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
                                                                    • Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: n)
                                                                    • API String ID: 0-1227437150
                                                                    • Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                    • Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
                                                                    • Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
                                                                    • Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: H&0
                                                                    • API String ID: 0-1691334370
                                                                    • Opcode ID: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
                                                                    • Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
                                                                    • Opcode Fuzzy Hash: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
                                                                    • Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <+o
                                                                    • API String ID: 0-2035106886
                                                                    • Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                    • Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
                                                                    • Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
                                                                    • Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 2d
                                                                    • API String ID: 0-3866551247
                                                                    • Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                    • Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
                                                                    • Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
                                                                    • Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ZF{;
                                                                    • API String ID: 0-2351138993
                                                                    • Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                    • Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
                                                                    • Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
                                                                    • Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o^
                                                                    • API String ID: 0-3380573087
                                                                    • Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                    • Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
                                                                    • Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
                                                                    • Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8N
                                                                    • API String ID: 0-1657423088
                                                                    • Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                    • Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
                                                                    • Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
                                                                    • Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: J3n
                                                                    • API String ID: 0-3694000235
                                                                    • Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                    • Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
                                                                    • Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
                                                                    • Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c&A
                                                                    • API String ID: 0-649646960
                                                                    • Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                    • Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
                                                                    • Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
                                                                    • Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (3
                                                                    • API String ID: 0-2570504824
                                                                    • Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                    • Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
                                                                    • Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
                                                                    • Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: [r\^
                                                                    • API String ID: 0-4041245994
                                                                    • Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                    • Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
                                                                    • Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
                                                                    • Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X
                                                                    • API String ID: 0-1684620495
                                                                    • Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                    • Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
                                                                    • Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
                                                                    • Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: [[x
                                                                    • API String ID: 0-2553898450
                                                                    • Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                    • Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
                                                                    • Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
                                                                    • Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: g\&
                                                                    • API String ID: 0-1994035986
                                                                    • Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                    • Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
                                                                    • Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
                                                                    • Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X
                                                                    • API String ID: 0-1684620495
                                                                    • Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                    • Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
                                                                    • Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
                                                                    • Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GfMu
                                                                    • API String ID: 0-241548529
                                                                    • Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                    • Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
                                                                    • Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
                                                                    • Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: k|
                                                                    • API String ID: 0-998972391
                                                                    • Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                    • Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
                                                                    • Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
                                                                    • Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: wz_
                                                                    • API String ID: 0-2163964638
                                                                    • Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                    • Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
                                                                    • Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
                                                                    • Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {?Q
                                                                    • API String ID: 0-927583641
                                                                    • Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                    • Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
                                                                    • Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
                                                                    • Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: |}6\
                                                                    • API String ID: 0-3074799505
                                                                    • Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                    • Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
                                                                    • Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
                                                                    • Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 3&a
                                                                    • API String ID: 0-537350193
                                                                    • Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                    • Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
                                                                    • Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
                                                                    • Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: o0:X
                                                                    • API String ID: 0-645126758
                                                                    • Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                    • Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
                                                                    • Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
                                                                    • Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: D4}
                                                                    • API String ID: 0-491520632
                                                                    • Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                    • Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
                                                                    • Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
                                                                    • Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081AA0C Relevance: .3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 1583075380-0
                                                                    • Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                    • Instruction ID: c4151fa962cb732945eab12068d0dae2a8c84db29258b04623c0b535b0c1889d
                                                                    • Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
                                                                    • Instruction Fuzzy Hash: 3DA17322B18A8182DB68DF25A6157FFB292AF85BC8F448136DE4D5BB49CE3CE015D304
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081EB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                    • Instruction ID: 9807e3362214f434c997acbe75fdb5f8a1e10860d426009cd6ab84797e750df8
                                                                    • Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
                                                                    • Instruction Fuzzy Hash: DE71C172F181464BE75CCB18ED4177866D6EFE4308F589136D90A8AB94EE39F900E744
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018598 Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                    • Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
                                                                    • Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
                                                                    • Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                    • Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
                                                                    • Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
                                                                    • Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                    • Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
                                                                    • Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
                                                                    • Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019300 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                    • Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
                                                                    • Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
                                                                    • Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
                                                                    • Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
                                                                    • Opcode Fuzzy Hash: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
                                                                    • Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                    • Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
                                                                    • Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
                                                                    • Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                    • Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
                                                                    • Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
                                                                    • Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                    • Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
                                                                    • Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
                                                                    • Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000F917 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                    • Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
                                                                    • Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
                                                                    • Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                    • Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
                                                                    • Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
                                                                    • Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                    • Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
                                                                    • Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
                                                                    • Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                    • Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
                                                                    • Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
                                                                    • Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081A77C Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _getptd
                                                                    • String ID:
                                                                    • API String ID: 3186804695-0
                                                                    • Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                    • Instruction ID: b1467377b58d9cb513107874c3183fb972c34f0584ccaec1b5659d7447206fbc
                                                                    • Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
                                                                    • Instruction Fuzzy Hash: 2C319222A14B8585EB59DB2AD5193AA77E1EF85BC8F184136EA4D07795DF3CD001C708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                    • Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
                                                                    • Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
                                                                    • Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                    • Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
                                                                    • Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
                                                                    • Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001F944 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                    • Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
                                                                    • Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
                                                                    • Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                    • Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
                                                                    • Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
                                                                    • Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                    • Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
                                                                    • Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
                                                                    • Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081DF20 Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                    • Instruction ID: 724e4565299c9f2487c81041a744712644d2bb52e120dbc6f2f1f3cb3dffcf49
                                                                    • Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
                                                                    • Instruction Fuzzy Hash: A5B09229B0CB5986876987076804A19AA96B7ACBE8A4441369D0D63B64D93CAA408B84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308198A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                    • Instruction ID: 342926d67b63a2a30b20ffddfd002ea7d8e08ce7c25bcb1af329e3058f726fe2
                                                                    • Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
                                                                    • Instruction Fuzzy Hash: AE417422A15982C1EE69EB35D8522BC53F0AF88B48F056133EB4E7B3A7CE15D845D358
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30817BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
                                                                    • String ID: ADVAPI32.DLL$SystemFunction036
                                                                    • API String ID: 1558914745-1064046199
                                                                    • Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                    • Instruction ID: dd58363b0f33a93c93b9bad96790286e4811fb2e8da009cf3ec0b43c129c9af4
                                                                    • Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
                                                                    • Instruction Fuzzy Hash: 6D31C021F0C64382FB18EF25A81177A22E0AF84B8CF44453AEE4D47786DE3CE414E748
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3082028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF308207CE), ref: 00007FFF308202F9
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF308207CE), ref: 00007FFF3082030D
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF308207CE), ref: 00007FFF30820410
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CompareErrorInfoLastString
                                                                    • String ID:
                                                                    • API String ID: 3723911898-0
                                                                    • Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                    • Instruction ID: 3444eb2aea233b9bc7146cf145530251ec03c0ba3303d4a923ed8f19e13894c5
                                                                    • Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
                                                                    • Instruction Fuzzy Hash: 88E1BF22A082838AEB30DF1194446BD67EAFB4479CF548537DA5D17BC6CF3CA944EB08
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308176A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
                                                                    • String ID:
                                                                    • API String ID: 3466867069-0
                                                                    • Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                    • Instruction ID: 1de23230671b35f63dc0b5dfc056181657d19dd6a49d24ebea665b7008fe84c3
                                                                    • Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
                                                                    • Instruction Fuzzy Hash: 2771BC21E0C64381FA6D9B19A45A27F26F5AF8179CF18093FC65E067E1DE2CE445E24C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30812E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1575098132-0
                                                                    • Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                    • Instruction ID: c8a48e3e86d4ac21a304d433aa150b313d5dd5d2a4fac536fe41a1df2e1b10f0
                                                                    • Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
                                                                    • Instruction Fuzzy Hash: 4D311C11B1A94285FE6CEBA1A06177853E1AF84B4CF041537EA0E177C6CF1CE861E35D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081A250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorInfoLast
                                                                    • String ID:
                                                                    • API String ID: 189849726-0
                                                                    • Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                    • Instruction ID: ae7d793dbc26a4798af9c8a04486aa40d066a6b858c71c979f05f081e41eb2ae
                                                                    • Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
                                                                    • Instruction Fuzzy Hash: BEB19832A0869286DB28CF65E4442F977E5FF48B88F844136EA9C87795DF3DE441DB08
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30814F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                    • Instruction ID: 1a0f0b763dc51d85d46ece40c60a4a8a2975b38f2b71c7a3966d3098d5bb6d19
                                                                    • Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
                                                                    • Instruction Fuzzy Hash: C3411132A0A986C4EF69DF61D4513B823E0EF88B5CF491033DA0D5A795CF2DE492E359
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30820A34 Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
                                                                    • String ID:
                                                                    • API String ID: 3451773520-0
                                                                    • Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                    • Instruction ID: 8f840336f74164dabf0397acfd7a3f1043ba47567771caf006530af4996b06b4
                                                                    • Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
                                                                    • Instruction Fuzzy Hash: D1A11625E0AA4341FA24AB15A90027A62D9FF40B9CF148737DA5E477C6DE3CA495FB0C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081E23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E292
                                                                    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E2B1
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E356
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E3B5
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E3F0
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E42C
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E46C
                                                                    • free.LIBCMT ref: 00007FFF3081E47A
                                                                    • free.LIBCMT ref: 00007FFF3081E49C
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$Infofree
                                                                    • String ID:
                                                                    • API String ID: 1638741495-0
                                                                    • Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                    • Instruction ID: 5d3424f7538918fe2d38c7e9b413c44df53223e39214c8f7075f8276d4a5444d
                                                                    • Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
                                                                    • Instruction Fuzzy Hash: 3E61E672A08A8286E7288F2594406B9B7D5FF847ACF544A36EA5D07BD4DF3CE581D308
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                    • String ID:
                                                                    • API String ID: 2551688548-0
                                                                    • Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                    • Instruction ID: 35493d206842dca22ce77ec725d6c4466e7187459ced973bf310d4a9460e6fa1
                                                                    • Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
                                                                    • Instruction Fuzzy Hash: 15418E71A0EA4391EA589B01F84017A62E9FF98B8CF440137EA4E437A5DF3CE455E74C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30818F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF30819206), ref: 00007FFF30818F94
                                                                    • GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF30819206), ref: 00007FFF30818FA6
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF30819206), ref: 00007FFF30819006
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF30819206), ref: 00007FFF308190BC
                                                                    • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF30819206), ref: 00007FFF308190D3
                                                                    • free.LIBCMT ref: 00007FFF308190E4
                                                                    • GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF30819206), ref: 00007FFF30819161
                                                                    • free.LIBCMT ref: 00007FFF30819171
                                                                      • Part of subcall function 00007FFF3081E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E292
                                                                      • Part of subcall function 00007FFF3081E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E2B1
                                                                      • Part of subcall function 00007FFF3081E23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E3B5
                                                                      • Part of subcall function 00007FFF3081E23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF3081E3F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3535580693-0
                                                                    • Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                    • Instruction ID: a12ae0e8cf98a25320cf2b9137f7484075ee11016d2a886657b96ff61dd0bcde
                                                                    • Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
                                                                    • Instruction Fuzzy Hash: F861B132B04A8296EB249F21D44046977D6FF48BECB140636EA5E53B94DE3CE882D344
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30813758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStartupInfoA.KERNEL32 ref: 00007FFF3081377D
                                                                      • Part of subcall function 00007FFF30813108: Sleep.KERNEL32(?,?,0000000A,00007FFF30812DA3,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081314D
                                                                    • GetFileType.KERNEL32 ref: 00007FFF308138FA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: FileInfoSleepStartupType
                                                                    • String ID: @
                                                                    • API String ID: 1527402494-2766056989
                                                                    • Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                    • Instruction ID: 0ffe39254474ff1d386d1ef13bdc16e73fa74029d073847618e8a3707b41aa35
                                                                    • Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
                                                                    • Instruction Fuzzy Hash: DB91B022A1868281E7188B25D4487293BE9FF06B78F654736DA7E473D0DF7CE841E319
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308125F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$_getptd
                                                                    • String ID: +$-$0$0
                                                                    • API String ID: 3432092939-699404926
                                                                    • Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                    • Instruction ID: bc5a0068fa011b6da289bc92d7a0506ea9d3e52a5f53c12aadbfdacee6161bd8
                                                                    • Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
                                                                    • Instruction Fuzzy Hash: 5571E322D1C68285F7BE8B25941537B26D1AF5476CF294637CE9E023D1DE7CE8A0E309
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30816AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _FF_MSGBANNER.LIBCMT ref: 00007FFF30816ADF
                                                                      • Part of subcall function 00007FFF30816F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF30817194,?,?,?,?,00007FFF30816C69,?,?,00000000,00007FFF308130C0), ref: 00007FFF30816FCF
                                                                      • Part of subcall function 00007FFF3081334C: ExitProcess.KERNEL32 ref: 00007FFF3081335B
                                                                      • Part of subcall function 00007FFF3081309C: Sleep.KERNEL32(?,?,00000000,00007FFF30816B19,?,?,00000000,00007FFF30816BC3,?,?,?,?,?,?,00000000,00007FFF30812DC8), ref: 00007FFF308130D2
                                                                    • _errno.LIBCMT ref: 00007FFF30816B21
                                                                    • _lock.LIBCMT ref: 00007FFF30816B35
                                                                    • free.LIBCMT ref: 00007FFF30816B57
                                                                    • _errno.LIBCMT ref: 00007FFF30816B5C
                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FFF30816BC3,?,?,?,?,?,?,00000000,00007FFF30812DC8,?,?,?,00007FFF30812DFF), ref: 00007FFF30816B82
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
                                                                    • String ID:
                                                                    • API String ID: 1354249094-0
                                                                    • Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                    • Instruction ID: cd65ca78c338bfd648d9fc3dedbcbc170d6d3336710fe6d89e09e781aaec5f9b
                                                                    • Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
                                                                    • Instruction Fuzzy Hash: 5A214121E1C64382F659AF11A45477A62E4FF847ACF045136EA8E867C2CF7CE461E748
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30812D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF30812D7A
                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF30812D88
                                                                    • SetLastError.KERNEL32(?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF30812DE0
                                                                      • Part of subcall function 00007FFF30813108: Sleep.KERNEL32(?,?,0000000A,00007FFF30812DA3,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081314D
                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF30812DB4
                                                                    • free.LIBCMT ref: 00007FFF30812DD7
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00007FFF30812DC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                    • String ID:
                                                                    • API String ID: 3106088686-0
                                                                    • Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                    • Instruction ID: 5f82c480c527fe200df15e8fb620943f9c254300a4975034e78b947f197c6b78
                                                                    • Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
                                                                    • Instruction Fuzzy Hash: 8101DB20E09F4B92FB18AF75E44453822E6BF487A8F484235C92E123D1DE3CE454F718
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30819DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 1012874770-0
                                                                    • Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                    • Instruction ID: 33b37b0dd1dbbcee7e439dd6caf38cb51a0d31ef79c9675c32733baa86742cdd
                                                                    • Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
                                                                    • Instruction Fuzzy Hash: 0801B717A0884392EE68EBA1E49107413E5AF84B0CF5A1033D65E66792CFADF891E35C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30819E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                    • Instruction ID: d44a307e073a6f7e97c7ea7775482c1f9835be5393e51518d06844e9dd84a29f
                                                                    • Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
                                                                    • Instruction Fuzzy Hash: 51B19E32B18B8699EB28DB62E0405EA77E4FF89748F404536EA8E43B85EF7CD105D744
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308160B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$Sleep_errno
                                                                    • String ID:
                                                                    • API String ID: 2081351063-0
                                                                    • Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                    • Instruction ID: d9a02db127c0106ecf433e4562fb974b7b133c6a49442d141ecef35d9451b3f3
                                                                    • Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
                                                                    • Instruction Fuzzy Hash: 18314F21A09B4291EB1DAF25C45127D76E1AF84FCCF488036DE4D1779ADE3CE821E348
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308172D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DecodePointer.KERNEL32(?,?,?,00007FFF308173E5,?,?,?,?,00007FFF308134D2,?,?,?,00007FFF308121CB), ref: 00007FFF308172FD
                                                                    • DecodePointer.KERNEL32(?,?,?,00007FFF308173E5,?,?,?,?,00007FFF308134D2,?,?,?,00007FFF308121CB), ref: 00007FFF3081730C
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF308173E5,?,?,?,?,00007FFF308134D2,?,?,?,00007FFF308121CB), ref: 00007FFF30817389
                                                                      • Part of subcall function 00007FFF3081318C: realloc.LIBCMT ref: 00007FFF308131B7
                                                                      • Part of subcall function 00007FFF3081318C: Sleep.KERNEL32(?,?,00000000,00007FFF30817379,?,?,?,00007FFF308173E5,?,?,?,?,00007FFF308134D2), ref: 00007FFF308131D3
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF308173E5,?,?,?,?,00007FFF308134D2,?,?,?,00007FFF308121CB), ref: 00007FFF30817398
                                                                    • EncodePointer.KERNEL32(?,?,?,00007FFF308173E5,?,?,?,?,00007FFF308134D2,?,?,?,00007FFF308121CB), ref: 00007FFF308173A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                    • String ID:
                                                                    • API String ID: 1310268301-0
                                                                    • Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                    • Instruction ID: 8d338e44445c434ed339ddebad88a8644720aa0e159b8774d0616583429b96d9
                                                                    • Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
                                                                    • Instruction Fuzzy Hash: 5E21A411B0A64251EE18AB21F54407EA2E1BF45BC8F84483BEE1D4B796DE7CE045E34C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308171A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                    • String ID:
                                                                    • API String ID: 1310268301-0
                                                                    • Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                    • Instruction ID: f072970b89128ff5a7d294491e676cc5decf208957ed2c467f0a85b519799da8
                                                                    • Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
                                                                    • Instruction Fuzzy Hash: 7B21A421B0AA8294EE18EB11F54417AA3E1AF45BC8F48443BEE4E4B756DE3CE055D348
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30813310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FFF30813359,?,?,00000028,00007FFF30816C7D,?,?,00000000,00007FFF308130C0,?,?,00000000,00007FFF30816B19), ref: 00007FFF3081331F
                                                                    • GetProcAddress.KERNEL32(?,?,000000FF,00007FFF30813359,?,?,00000028,00007FFF30816C7D,?,?,00000000,00007FFF308130C0,?,?,00000000,00007FFF30816B19), ref: 00007FFF30813334
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 1646373207-1276376045
                                                                    • Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                    • Instruction ID: 2c1bd71b8940727d84cf8330a5f2e20f52a9eb5e1999b0eca78f3e21829c9202
                                                                    • Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
                                                                    • Instruction Fuzzy Hash: CCE01250F1960751FE199B50B88413422D46F58B14F88543BC82F063A0DE7CAA98E31C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FFF3081309C: Sleep.KERNEL32(?,?,00000000,00007FFF30816B19,?,?,00000000,00007FFF30816BC3,?,?,?,?,?,?,00000000,00007FFF30812DC8), ref: 00007FFF308130D2
                                                                    • free.LIBCMT ref: 00007FFF308158A5
                                                                    • free.LIBCMT ref: 00007FFF308158C1
                                                                      • Part of subcall function 00007FFF30816550: RtlCaptureContext.KERNEL32 ref: 00007FFF3081658F
                                                                      • Part of subcall function 00007FFF30816550: IsDebuggerPresent.KERNEL32 ref: 00007FFF3081662D
                                                                      • Part of subcall function 00007FFF30816550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF30816637
                                                                      • Part of subcall function 00007FFF30816550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF30816642
                                                                      • Part of subcall function 00007FFF30816550: GetCurrentProcess.KERNEL32 ref: 00007FFF30816658
                                                                      • Part of subcall function 00007FFF30816550: TerminateProcess.KERNEL32 ref: 00007FFF30816666
                                                                    • free.LIBCMT ref: 00007FFF308158D6
                                                                      • Part of subcall function 00007FFF30813024: HeapFree.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081303A
                                                                      • Part of subcall function 00007FFF30813024: _errno.LIBCMT ref: 00007FFF30813044
                                                                      • Part of subcall function 00007FFF30813024: GetLastError.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081304C
                                                                    • free.LIBCMT ref: 00007FFF308158F5
                                                                    • free.LIBCMT ref: 00007FFF30815911
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
                                                                    • String ID:
                                                                    • API String ID: 2294642566-0
                                                                    • Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                    • Instruction ID: da5c60646ef7affe3cb24b2e5c901b2db97026ce28add750e35db9ec221a6dca
                                                                    • Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
                                                                    • Instruction Fuzzy Hash: 83519F36A05A8582EB24DF2AE85016E63E5FF84BACF484037DE4D47794DE3CD946D348
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30815B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _getptd
                                                                    • String ID:
                                                                    • API String ID: 3186804695-0
                                                                    • Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                    • Instruction ID: 6916c23db78ca9212ed857a76e831843e90cb5cf63f8852121c1d4a197b84f51
                                                                    • Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
                                                                    • Instruction Fuzzy Hash: 45819E72A09682D6DB28DF25E1847AAB3E0FB48788F504136DB8D47B94EF3CE451DB04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF308161F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$DecodePointer_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 4201827665-0
                                                                    • Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                    • Instruction ID: c1bc038a1ec7cfe7279490acbcf42362a9ecb475f9582d4429e7c369140142f7
                                                                    • Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
                                                                    • Instruction Fuzzy Hash: E6515931A0968286FB58DF25E8517BA23E5FF44788F10413BD99E47792DE7CE460E708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081F9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$DecodePointercalloc
                                                                    • String ID:
                                                                    • API String ID: 1531210114-0
                                                                    • Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                    • Instruction ID: 2b18c41a981c44b5245aceb66d7a0360ba48198f9c847a37b3a792d166d32ce7
                                                                    • Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
                                                                    • Instruction Fuzzy Hash: 1821AF32A08B5286FB199F61A41177A62D0AF8478CF088536EB4C47B87DF3CE811D608
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lock.LIBCMT ref: 00007FFF308153B2
                                                                    • free.LIBCMT ref: 00007FFF308153D7
                                                                      • Part of subcall function 00007FFF30813024: HeapFree.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081303A
                                                                      • Part of subcall function 00007FFF30813024: _errno.LIBCMT ref: 00007FFF30813044
                                                                      • Part of subcall function 00007FFF30813024: GetLastError.KERNEL32(?,?,00000000,00007FFF30812DDC,?,?,?,00007FFF30812DFF,?,?,?,00007FFF3081254F,?,?,?,00007FFF3081262A), ref: 00007FFF3081304C
                                                                    • _lock.LIBCMT ref: 00007FFF308153F2
                                                                    • free.LIBCMT ref: 00007FFF30815438
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lockfree$ErrorFreeHeapLast_errno
                                                                    • String ID:
                                                                    • API String ID: 3188102813-0
                                                                    • Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                    • Instruction ID: 2b1537ae6e5abb961e8493ad162cdd9991921ab1023930fa3b97c84d95578221
                                                                    • Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
                                                                    • Instruction Fuzzy Hash: FB115B21A0B502C6FF5DABB0D46137822E0AF84B5CF445137D66E573C6DE6CA891E32D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30812C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalDeleteSection$Freefree
                                                                    • String ID:
                                                                    • API String ID: 1250194111-0
                                                                    • Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                    • Instruction ID: 2d9c9a6222200b408799acee19933df4175ac50033f039c4da8c19b28f3cd93c
                                                                    • Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
                                                                    • Instruction Fuzzy Hash: AD115131E09A92C6FA189F15E44413873E4FF44B58F588532DAAD22795CF3CE5B1E708
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _lock$Sleep_errno_getptd
                                                                    • String ID:
                                                                    • API String ID: 2111406555-0
                                                                    • Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                    • Instruction ID: 6ed07298a1d6cd52c4de417e9ed2b88581729460aac786ae02a347ea8ec816b3
                                                                    • Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
                                                                    • Instruction Fuzzy Hash: 08017121A0A64286F74C6FB5D4517AD63D0EF44B8CF448436DA4D573C6CE3CE860E359
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF3081BB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$_getptd
                                                                    • String ID: #
                                                                    • API String ID: 3432092939-1885708031
                                                                    • Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                    • Instruction ID: defd76e1297cf636b86839b904711dda4463902b093ff4e95ee6c1e8a21a2a94
                                                                    • Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
                                                                    • Instruction Fuzzy Hash: FD51C122A0CBC585E7298F29E4402BEBBE0FF81B98F584132DA8C13755CE3DD851EB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00007FFF30819BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.393152646.00007FFF307D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF307D0000, based on PE: true
                                                                    • Associated: 00000002.00000002.393147104.00007FFF307D0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.393948402.00007FFF30822000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394038883.00007FFF30826000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000002.00000002.394054820.00007FFF30829000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7fff307d0000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                    • Instruction ID: 73dbad7d2f483bfe441840709f4e2b723bb8cb0529bdfb20e69630ffdc5b4f8d
                                                                    • Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
                                                                    • Instruction Fuzzy Hash: 6D51C032A0868286EB689F26F4401BA77E0BF45B98F554537DBDE07781CE3CE552E348
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.392987452.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$,$2S=$i`}G
                                                                    • API String ID: 0-4285990414
                                                                    • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                    • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:12.9%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:32
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 3422 191906b0000 3423 191906b0183 3422->3423 3424 191906b043e VirtualAlloc 3423->3424 3428 191906b0462 3424->3428 3425 191906b0a7b 3426 191906b0531 GetNativeSystemInfo 3426->3425 3427 191906b056d VirtualAlloc 3426->3427 3432 191906b058b 3427->3432 3428->3425 3428->3426 3429 191906b0a00 3429->3425 3430 191906b0a56 RtlAddFunctionTable 3429->3430 3430->3425 3431 191906b09d9 VirtualProtect 3431->3432 3432->3429 3432->3431 3432->3432 3440 18000ac48 3441 18000ac8e 3440->3441 3443 18000b6ec 3441->3443 3444 180021c3c 3441->3444 3445 180021c97 3444->3445 3446 180001bdc CreateProcessW 3445->3446 3447 180021e38 3446->3447 3447->3443 3448 180003598 3451 180003640 3448->3451 3449 1800044c0 3450 180021c3c CreateProcessW 3450->3451 3451->3449 3451->3450 3433 180021c3c 3434 180021c97 3433->3434 3437 180001bdc 3434->3437 3436 180021e38 3438 180001c82 3437->3438 3439 180001d21 CreateProcessW 3438->3439 3439->3436 3452 1800097c0 3455 1800097fc 3452->3455 3453 180021c3c CreateProcessW 3454 180009924 3453->3454 3455->3453 3455->3454

                                                                    Executed Functions

                                                                    Function 00000191906B0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 191906b0000-191906b0460 call 191906b0aa8 * 2 VirtualAlloc 22 191906b048a-191906b0494 0->22 23 191906b0462-191906b0466 0->23 26 191906b049a-191906b049e 22->26 27 191906b0a91-191906b0aa6 22->27 24 191906b0468-191906b0488 23->24 24->22 24->24 26->27 28 191906b04a4-191906b04a8 26->28 28->27 29 191906b04ae-191906b04b2 28->29 29->27 30 191906b04b8-191906b04bf 29->30 30->27 31 191906b04c5-191906b04d2 30->31 31->27 32 191906b04d8-191906b04e1 31->32 32->27 33 191906b04e7-191906b04f4 32->33 33->27 34 191906b04fa-191906b0507 33->34 35 191906b0509-191906b0511 34->35 36 191906b0531-191906b0567 GetNativeSystemInfo 34->36 37 191906b0513-191906b0518 35->37 36->27 38 191906b056d-191906b0589 VirtualAlloc 36->38 39 191906b051a-191906b051f 37->39 40 191906b0521 37->40 41 191906b058b-191906b059e 38->41 42 191906b05a0-191906b05ac 38->42 44 191906b0523-191906b052f 39->44 40->44 41->42 43 191906b05af-191906b05b2 42->43 46 191906b05b4-191906b05bf 43->46 47 191906b05c1-191906b05db 43->47 44->36 44->37 46->43 48 191906b061b-191906b0622 47->48 49 191906b05dd-191906b05e2 47->49 51 191906b06db-191906b06e2 48->51 52 191906b0628-191906b062f 48->52 50 191906b05e4-191906b05ea 49->50 53 191906b05ec-191906b0609 50->53 54 191906b060b-191906b0619 50->54 56 191906b0864-191906b086b 51->56 57 191906b06e8-191906b06f9 51->57 52->51 55 191906b0635-191906b0642 52->55 53->53 53->54 54->48 54->50 55->51 60 191906b0648-191906b064f 55->60 58 191906b0871-191906b087f 56->58 59 191906b0917-191906b0929 56->59 61 191906b0702-191906b0705 57->61 66 191906b090e-191906b0911 58->66 64 191906b092f-191906b0937 59->64 65 191906b0a07-191906b0a1a 59->65 67 191906b0654-191906b0658 60->67 62 191906b06fb-191906b06ff 61->62 63 191906b0707-191906b070a 61->63 62->61 68 191906b070c-191906b071d 63->68 69 191906b0788-191906b078e 63->69 71 191906b093b-191906b093f 64->71 84 191906b0a1c-191906b0a27 65->84 85 191906b0a40-191906b0a4a 65->85 66->59 70 191906b0884-191906b08a9 66->70 72 191906b06c0-191906b06ca 67->72 73 191906b071f-191906b0720 68->73 74 191906b0794-191906b07a2 68->74 69->74 102 191906b08ab-191906b08b1 70->102 103 191906b0907-191906b090c 70->103 78 191906b09ec-191906b09fa 71->78 79 191906b0945-191906b095a 71->79 76 191906b06cc-191906b06d2 72->76 77 191906b065a-191906b0669 72->77 83 191906b0722-191906b0784 73->83 86 191906b085d-191906b085e 74->86 87 191906b07a8 74->87 76->67 88 191906b06d4-191906b06d5 76->88 80 191906b066b-191906b0678 77->80 81 191906b067a-191906b067e 77->81 78->71 82 191906b0a00-191906b0a01 78->82 90 191906b095c-191906b095e 79->90 91 191906b097b-191906b097d 79->91 92 191906b06bd-191906b06be 80->92 93 191906b068c-191906b0690 81->93 94 191906b0680-191906b068a 81->94 82->65 83->83 97 191906b0786 83->97 98 191906b0a38-191906b0a3e 84->98 100 191906b0a4c-191906b0a54 85->100 101 191906b0a7b-191906b0a8e 85->101 86->56 99 191906b07ae-191906b07d4 87->99 88->51 104 191906b0960-191906b096c 90->104 105 191906b096e-191906b0979 90->105 95 191906b097f-191906b0981 91->95 96 191906b09a2-191906b09a4 91->96 92->72 110 191906b0692-191906b06a3 93->110 111 191906b06a5-191906b06a9 93->111 107 191906b06b6-191906b06ba 94->107 108 191906b0989-191906b098b 95->108 109 191906b0983-191906b0987 95->109 112 191906b09ac-191906b09bb 96->112 113 191906b09a6-191906b09aa 96->113 97->74 98->85 116 191906b0a29-191906b0a35 98->116 131 191906b07d6-191906b07d9 99->131 132 191906b0835-191906b0839 99->132 100->101 117 191906b0a56-191906b0a79 RtlAddFunctionTable 100->117 101->27 114 191906b08bb-191906b08c8 102->114 115 191906b08b3-191906b08b9 102->115 103->66 106 191906b09be-191906b09bf 104->106 105->106 120 191906b09c5-191906b09cb 106->120 107->92 108->96 118 191906b098d-191906b098f 108->118 109->106 110->107 111->92 119 191906b06ab-191906b06b3 111->119 112->106 113->106 122 191906b08ca-191906b08d1 114->122 123 191906b08d3-191906b08e5 114->123 121 191906b08ea-191906b08fe 115->121 116->98 117->101 126 191906b0999-191906b09a0 118->126 127 191906b0991-191906b0997 118->127 119->107 128 191906b09d9-191906b09e9 VirtualProtect 120->128 129 191906b09cd-191906b09d3 120->129 121->103 139 191906b0900-191906b0905 121->139 122->122 122->123 123->121 126->120 127->106 128->78 129->128 136 191906b07db-191906b07e1 131->136 137 191906b07e3-191906b07f0 131->137 133 191906b083b 132->133 134 191906b0844-191906b0850 132->134 133->134 134->99 138 191906b0856-191906b0857 134->138 140 191906b0812-191906b082c 136->140 141 191906b07fb-191906b080d 137->141 142 191906b07f2-191906b07f9 137->142 138->86 139->102 140->132 144 191906b082e-191906b0833 140->144 141->140 142->141 142->142 144->131
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.396789870.00000191906B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000191906B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_191906b0000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: f7b5c16a0780583289e6c295aea4fb8260e694c7ae6d0781577f6e87ea23f87c
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 59722670518F498BEB68DF19C8A57F9BBE0FB98304F50462DE88AC3251DB34D582CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 442 180001bdc-180001cab call 1800142a0 445 180001d21-180001d64 CreateProcessW 442->445 446 180001cad-180001d1b call 18000dd70 442->446 446->445
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.396212398.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID: :}
                                                                    • API String ID: 963392458-2902022129
                                                                    • Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                    • Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
                                                                    • Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
                                                                    • Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:10.7%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:11
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 3264 1cb18260000 3265 1cb18260183 3264->3265 3266 1cb1826043e VirtualAlloc 3265->3266 3270 1cb18260462 3266->3270 3267 1cb18260a7b 3268 1cb18260531 GetNativeSystemInfo 3268->3267 3269 1cb1826056d VirtualAlloc 3268->3269 3274 1cb1826058b 3269->3274 3270->3267 3270->3268 3271 1cb18260a00 3271->3267 3272 1cb18260a56 RtlAddFunctionTable 3271->3272 3272->3267 3273 1cb182609d9 VirtualProtect 3273->3274 3274->3271 3274->3273 3274->3274

                                                                    Executed Functions

                                                                    Function 000001CB18260000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 1cb18260000-1cb18260460 call 1cb18260aa8 * 2 VirtualAlloc 22 1cb18260462-1cb18260466 0->22 23 1cb1826048a-1cb18260494 0->23 24 1cb18260468-1cb18260488 22->24 26 1cb18260a91-1cb18260aa6 23->26 27 1cb1826049a-1cb1826049e 23->27 24->23 24->24 27->26 28 1cb182604a4-1cb182604a8 27->28 28->26 29 1cb182604ae-1cb182604b2 28->29 29->26 30 1cb182604b8-1cb182604bf 29->30 30->26 31 1cb182604c5-1cb182604d2 30->31 31->26 32 1cb182604d8-1cb182604e1 31->32 32->26 33 1cb182604e7-1cb182604f4 32->33 33->26 34 1cb182604fa-1cb18260507 33->34 35 1cb18260531-1cb18260567 GetNativeSystemInfo 34->35 36 1cb18260509-1cb18260511 34->36 35->26 38 1cb1826056d-1cb18260589 VirtualAlloc 35->38 37 1cb18260513-1cb18260518 36->37 39 1cb18260521 37->39 40 1cb1826051a-1cb1826051f 37->40 41 1cb182605a0-1cb182605ac 38->41 42 1cb1826058b-1cb1826059e 38->42 44 1cb18260523-1cb1826052f 39->44 40->44 43 1cb182605af-1cb182605b2 41->43 42->41 46 1cb182605c1-1cb182605db 43->46 47 1cb182605b4-1cb182605bf 43->47 44->35 44->37 48 1cb182605dd-1cb182605e2 46->48 49 1cb1826061b-1cb18260622 46->49 47->43 50 1cb182605e4-1cb182605ea 48->50 51 1cb182606db-1cb182606e2 49->51 52 1cb18260628-1cb1826062f 49->52 53 1cb1826060b-1cb18260619 50->53 54 1cb182605ec-1cb18260609 50->54 56 1cb182606e8-1cb182606f9 51->56 57 1cb18260864-1cb1826086b 51->57 52->51 55 1cb18260635-1cb18260642 52->55 53->49 53->50 54->53 54->54 55->51 60 1cb18260648-1cb1826064f 55->60 61 1cb18260702-1cb18260705 56->61 58 1cb18260871-1cb1826087f 57->58 59 1cb18260917-1cb18260929 57->59 66 1cb1826090e-1cb18260911 58->66 64 1cb1826092f-1cb18260937 59->64 65 1cb18260a07-1cb18260a1a 59->65 67 1cb18260654-1cb18260658 60->67 62 1cb182606fb-1cb182606ff 61->62 63 1cb18260707-1cb1826070a 61->63 62->61 68 1cb1826070c-1cb1826071d 63->68 69 1cb18260788-1cb1826078e 63->69 71 1cb1826093b-1cb1826093f 64->71 84 1cb18260a40-1cb18260a4a 65->84 85 1cb18260a1c-1cb18260a27 65->85 66->59 70 1cb18260884-1cb182608a9 66->70 72 1cb182606c0-1cb182606ca 67->72 73 1cb1826071f-1cb18260720 68->73 74 1cb18260794-1cb182607a2 68->74 69->74 102 1cb182608ab-1cb182608b1 70->102 103 1cb18260907-1cb1826090c 70->103 78 1cb182609ec-1cb182609fa 71->78 79 1cb18260945-1cb1826095a 71->79 76 1cb182606cc-1cb182606d2 72->76 77 1cb1826065a-1cb18260669 72->77 83 1cb18260722-1cb18260784 73->83 86 1cb1826085d-1cb1826085e 74->86 87 1cb182607a8 74->87 76->67 88 1cb182606d4-1cb182606d5 76->88 80 1cb1826066b-1cb18260678 77->80 81 1cb1826067a-1cb1826067e 77->81 78->71 82 1cb18260a00-1cb18260a01 78->82 90 1cb1826097b-1cb1826097d 79->90 91 1cb1826095c-1cb1826095e 79->91 92 1cb182606bd-1cb182606be 80->92 93 1cb18260680-1cb1826068a 81->93 94 1cb1826068c-1cb18260690 81->94 82->65 83->83 97 1cb18260786 83->97 100 1cb18260a7b-1cb18260a8e 84->100 101 1cb18260a4c-1cb18260a54 84->101 98 1cb18260a38-1cb18260a3e 85->98 86->57 99 1cb182607ae-1cb182607d4 87->99 88->51 95 1cb182609a2-1cb182609a4 90->95 96 1cb1826097f-1cb18260981 90->96 104 1cb18260960-1cb1826096c 91->104 105 1cb1826096e-1cb18260979 91->105 92->72 107 1cb182606b6-1cb182606ba 93->107 110 1cb18260692-1cb182606a3 94->110 111 1cb182606a5-1cb182606a9 94->111 112 1cb182609ac-1cb182609bb 95->112 113 1cb182609a6-1cb182609aa 95->113 108 1cb18260989-1cb1826098b 96->108 109 1cb18260983-1cb18260987 96->109 97->74 98->84 116 1cb18260a29-1cb18260a35 98->116 131 1cb18260835-1cb18260839 99->131 132 1cb182607d6-1cb182607d9 99->132 100->26 101->100 117 1cb18260a56-1cb18260a79 RtlAddFunctionTable 101->117 114 1cb182608bb-1cb182608c8 102->114 115 1cb182608b3-1cb182608b9 102->115 103->66 106 1cb182609be-1cb182609bf 104->106 105->106 120 1cb182609c5-1cb182609cb 106->120 107->92 108->95 118 1cb1826098d-1cb1826098f 108->118 109->106 110->107 111->92 119 1cb182606ab-1cb182606b3 111->119 112->106 113->106 122 1cb182608ca-1cb182608d1 114->122 123 1cb182608d3-1cb182608e5 114->123 121 1cb182608ea-1cb182608fe 115->121 116->98 117->100 126 1cb18260991-1cb18260997 118->126 127 1cb18260999-1cb182609a0 118->127 119->107 128 1cb182609cd-1cb182609d3 120->128 129 1cb182609d9-1cb182609e9 VirtualProtect 120->129 121->103 139 1cb18260900-1cb18260905 121->139 122->122 122->123 123->121 126->106 127->120 128->129 129->78 133 1cb1826083b 131->133 134 1cb18260844-1cb18260850 131->134 136 1cb182607db-1cb182607e1 132->136 137 1cb182607e3-1cb182607f0 132->137 133->134 134->99 138 1cb18260856-1cb18260857 134->138 140 1cb18260812-1cb1826082c 136->140 141 1cb182607f2-1cb182607f9 137->141 142 1cb182607fb-1cb1826080d 137->142 138->86 139->102 140->131 144 1cb1826082e-1cb18260833 140->144 141->141 141->142 142->140 144->132
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.394088627.000001CB18260000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001CB18260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_1cb18260000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: 76117ace7353a32dccebb97f1a64c639d3c3f46caca75bd82bcd723e21ff8392
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 1E720630518A488BEB59DF18D896BF9B7F1FB94300F25422DE88AD3242DB39D941CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #C$(I$-:$Ekf$<W$Z$l$l
                                                                    • API String ID: 0-464535774
                                                                    • Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
                                                                    • Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
                                                                    • Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 180 180010ff4-180011016 181 180011020 180->181 182 180011022-180011028 181->182 183 180011814 182->183 184 18001102e-180011034 182->184 185 180011819-18001181f 183->185 186 1800114e2-1800114ec 184->186 187 18001103a-180011040 184->187 185->182 188 180011825-180011832 185->188 191 1800114f5-18001151d 186->191 192 1800114ee-1800114f3 186->192 189 1800113e2-1800114d2 call 180008200 187->189 190 180011046-18001104c 187->190 189->188 199 1800114d8-1800114dd 189->199 190->185 194 180011052-18001120b call 180021040 call 1800291ac 190->194 195 180011523-1800117f4 call 180016314 call 1800291ac call 18001e2bc 191->195 192->195 207 180011212-1800113d7 call 1800291ac call 18001e2bc 194->207 208 18001120d 194->208 209 1800117f9-180011803 195->209 199->182 207->188 215 1800113dd 207->215 208->207 209->188 212 180011805-18001180f 209->212 212->182 215->181
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )|x$/Zb$/v|$OV4T$\$lA
                                                                    • API String ID: 0-3528011396
                                                                    • Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
                                                                    • Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
                                                                    • Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 216 180021618-180021653 217 180021655-18002165a 216->217 218 180021bf3-180021c25 217->218 219 180021660-180021665 217->219 220 180021c2a-180021c2f 218->220 221 180021a81-180021bda call 180016314 219->221 222 18002166b-180021670 219->222 224 180021838-180021845 220->224 225 180021c35 220->225 229 180021bdf-180021bee 221->229 226 1800219f3-180021a7c call 180001b1c 222->226 227 180021676-18002167b 222->227 225->217 226->217 230 1800219e4-1800219ee 227->230 231 180021681-180021686 227->231 229->217 230->217 233 1800219d5-1800219df call 18001dfb4 231->233 234 18002168c-180021691 231->234 233->217 235 180021697-18002169c 234->235 236 18002190c-1800219a5 call 18000abac 234->236 239 1800216a2-1800216a7 235->239 240 180021846-180021907 call 180021434 235->240 243 1800219aa-1800219b0 236->243 239->220 244 1800216ad-180021835 call 180008200 call 1800166c0 239->244 240->217 247 1800219b2-1800219c6 243->247 248 1800219cb-1800219d0 243->248 244->224 247->217 248->217
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $&.+$)O$.pN$F>9$t(/
                                                                    • API String ID: 0-3036092626
                                                                    • Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
                                                                    • Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
                                                                    • Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 252 18000c608-18000c62d 253 18000c632-18000c637 252->253 254 18000cc8a-18000cc8f 253->254 255 18000c63d 253->255 256 18000cc95-18000cc9a 254->256 257 18000cf2b-18000cfaf call 18001f7c0 call 18001c32c 254->257 258 18000c643-18000c648 255->258 259 18000cb7d-18000cc23 call 1800269b0 call 18001c32c 255->259 262 18000ce33-18000ced7 call 180008ad8 call 18001c32c 256->262 263 18000cca0-18000cca5 256->263 290 18000cfb4-18000d00a call 1800194a4 257->290 264 18000caa5-18000cb78 call 1800176b8 call 18001c32c call 1800194a4 258->264 265 18000c64e-18000c653 258->265 293 18000cc28-18000cc85 call 1800194a4 259->293 304 18000cedc-18000cf26 call 1800194a4 262->304 266 18000cd35-18000cdce call 18000703c call 18001c32c 263->266 267 18000ccab-18000ccb0 263->267 264->253 269 18000c9c1-18000ca52 call 18002870c call 18001c32c 265->269 270 18000c659-18000c65e 265->270 309 18000cdd3-18000ce2e call 1800194a4 266->309 274 18000ccb6-18000cd30 call 180021434 267->274 275 18000d00f-18000d014 267->275 312 18000ca57-18000caa0 call 1800194a4 269->312 277 18000c664-18000c669 270->277 278 18000c8bb-18000c963 call 180002610 call 18001c32c 270->278 274->253 275->253 291 18000d01a-18000d020 275->291 286 18000c7b2-18000c85a call 180019618 call 18001c32c 277->286 287 18000c66f-18000c674 277->287 317 18000c968-18000c9bc call 1800194a4 278->317 324 18000c85f-18000c8b6 call 1800194a4 286->324 287->275 297 18000c67a-18000c73d call 180002178 call 18001c32c 287->297 290->275 293->253 326 18000c742-18000c7ad call 1800194a4 297->326 304->253 309->253 312->253 317->253 324->253 326->253
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +#;)$K'$sf$w\H
                                                                    • API String ID: 0-1051058546
                                                                    • Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
                                                                    • Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
                                                                    • Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: <4P$<8$<w.
                                                                    • API String ID: 0-1030867500
                                                                    • Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
                                                                    • Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
                                                                    • Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180009100 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
                                                                    • Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
                                                                    • Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 358 180022010-18002203b 359 18002203d-180022043 358->359 360 180022338-1800223a1 call 18001455c 359->360 361 180022049-18002204f 359->361 368 1800223a6-1800223ac 360->368 362 180022055-18002205b 361->362 363 18002232e-180022333 361->363 366 180022061-180022067 362->366 367 1800222be-180022329 call 180019cb4 362->367 363->359 370 180022069-18002206f 366->370 371 18002209a-1800222b9 call 18001dbe8 call 180012320 call 1800194a4 366->371 367->359 368->359 372 1800223b2-1800223c2 368->372 370->368 375 180022075-180022083 370->375 371->368 376 180022089-18002208d 375->376 378 180022085-180022086 376->378 379 18002208f-180022098 376->379 378->376 379->359
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "+H$1l7.$M8;$]$d$]k$]k$94
                                                                    • API String ID: 0-2447245168
                                                                    • Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
                                                                    • Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
                                                                    • Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 568 1800059b8-180005a02 569 180005a04-180005a09 568->569 570 180006107-1800061a6 call 180001b1c 569->570 571 180005a0f-180005a14 569->571 579 1800061ab-1800061b0 570->579 572 180005a1a-180005a1f 571->572 573 180005fcd-180006102 call 180016314 571->573 576 180005a25-180005a2a 572->576 577 180005da6-180005fb1 call 1800093f0 572->577 573->569 582 1800061bb-18000625a call 180001b1c 576->582 583 180005a30-180005a35 576->583 593 180005fc3-180005fc8 577->593 594 180005fb3-180005fbe 577->594 586 1800061b6 579->586 587 18000625f-180006271 579->587 582->587 584 180005a3b-180005a40 583->584 585 180005d7e-180005d8c 583->585 590 180005a46-180005a4b 584->590 591 180005b78-180005d79 call 180009f5c call 18000a62c call 1800194a4 584->591 592 180005d92-180005d96 585->592 586->569 595 180005a51-180005a56 590->595 596 180005ad8-180005b68 call 18000abac 590->596 591->569 597 180005d98-180005da1 592->597 598 180005d8e-180005d8f 592->598 593->569 594->569 595->579 600 180005a5c-180005ad3 call 180007958 595->600 596->587 607 180005b6e-180005b73 596->607 597->569 598->592 600->569 607->569
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
                                                                    • API String ID: 0-2100131636
                                                                    • Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
                                                                    • Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
                                                                    • Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 611 180013780-1800137f4 call 1800142a0 614 1800137fb-180013800 611->614 615 180013806-18001380b 614->615 616 180013c55-180013ce4 call 18002620c 614->616 617 180013811-180013816 615->617 618 180013c4b-180013c50 615->618 625 180013ce6-180013ceb 616->625 626 180013cf0 616->626 620 18001381c-180013821 617->620 621 1800138cd-180013c46 call 180006664 call 18000bb28 call 18002a6c8 call 1800194a4 617->621 618->614 623 180013cf5-180013cfa 620->623 624 180013827-1800138a9 call 18000290c 620->624 621->614 629 1800138ae-1800138cc 623->629 630 180013d00 623->630 624->629 625->614 626->623 630->614
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$"`2$lbzZ$lmq$tro$kO
                                                                    • API String ID: 0-2401169580
                                                                    • Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
                                                                    • Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
                                                                    • Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: )#?$EX.$PT$UbA$2f
                                                                    • API String ID: 0-1318892062
                                                                    • Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
                                                                    • Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
                                                                    • Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 676 18001fc0c-18001fc44 call 1800142a0 679 18001fc46-18001fc4b 676->679 680 18001fc51 679->680 681 18001ff13-18001ff18 679->681 682 18001fe94-18001ff0e call 180012598 680->682 683 18001fc57-18001fc5c 680->683 684 180020169-1800201f9 call 1800190d4 681->684 685 18001ff1e-18001ff23 681->685 682->679 687 18001fc62-18001fc67 683->687 688 18001fde5-18001fe8f call 180012598 683->688 702 1800201fe-180020203 684->702 689 1800200b6-180020164 call 180012598 685->689 690 18001ff29-18001ff2e 685->690 695 18002020a-18002026b call 1800190d4 687->695 696 18001fc6d-18001fc72 687->696 688->679 689->679 698 1800200a1-1800200b1 call 1800014f8 690->698 699 18001ff34-18001ff39 690->699 711 180020270-180020291 695->711 706 18001fc78-18001fc7d 696->706 707 18001fd57-18001fde0 call 180012598 696->707 698->679 700 180020003-180020091 call 180021434 699->700 701 18001ff3f-18001ff44 699->701 700->711 723 180020097-18002009c 700->723 701->702 709 18001ff4a-18001fffe call 180012598 701->709 710 180020205 702->710 702->711 715 18001fc83-18001fc88 706->715 716 18001fd1f-18001fd52 706->716 707->679 709->679 710->679 715->702 720 18001fc8e-18001fd1a call 18001e938 715->720 716->679 720->679 723->679
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $T$?F$QP|m$qjf$tZp
                                                                    • API String ID: 0-3477398917
                                                                    • Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
                                                                    • Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
                                                                    • Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: JQ$k&($t$v$x\J
                                                                    • API String ID: 0-1134872184
                                                                    • Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
                                                                    • Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
                                                                    • Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: R$)H8$?rIc$L==$V
                                                                    • API String ID: 0-2512384441
                                                                    • Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
                                                                    • Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
                                                                    • Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Qq$bt$vird$+$S
                                                                    • API String ID: 0-3373980505
                                                                    • Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
                                                                    • Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
                                                                    • Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: V$@$P9$^_"
                                                                    • API String ID: 0-1880944046
                                                                    • Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
                                                                    • Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
                                                                    • Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$'Xsa$iJ6$vG
                                                                    • API String ID: 0-746338152
                                                                    • Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
                                                                    • Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
                                                                    • Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *i^$MIC$-Z$]2
                                                                    • API String ID: 0-498664264
                                                                    • Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
                                                                    • Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
                                                                    • Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: B$EG$QsF$_
                                                                    • API String ID: 0-784369960
                                                                    • Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
                                                                    • Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
                                                                    • Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: -`G$.$5B.Y$Z`35
                                                                    • API String ID: 0-1363032466
                                                                    • Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
                                                                    • Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
                                                                    • Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *+_$WSh$\O$#o
                                                                    • API String ID: 0-1846314129
                                                                    • Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
                                                                    • Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
                                                                    • Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .B$O$M*K$\<
                                                                    • API String ID: 0-3225238681
                                                                    • Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
                                                                    • Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
                                                                    • Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$$$xVO$~O
                                                                    • API String ID: 0-3655128719
                                                                    • Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
                                                                    • Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
                                                                    • Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,IW$G$JMg$l
                                                                    • API String ID: 0-1370644289
                                                                    • Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
                                                                    • Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
                                                                    • Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.393369889.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ,$,$2S=$i`}G
                                                                    • API String ID: 0-4285990414
                                                                    • Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
                                                                    • Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
                                                                    • Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:55.8%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:11
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 162 1b258560000 163 1b258560183 162->163 164 1b25856043e VirtualAlloc 163->164 168 1b258560462 164->168 165 1b258560a7b 166 1b258560531 GetNativeSystemInfo 166->165 167 1b25856056d VirtualAlloc 166->167 171 1b25856058b 167->171 168->165 168->166 169 1b258560a00 169->165 170 1b258560a56 RtlAddFunctionTable 169->170 170->165 171->169 172 1b2585609d9 VirtualProtect 171->172 172->171

                                                                    Callgraph

                                                                    • Executed
                                                                    • Not Executed
                                                                    • Opacity -> Relevance
                                                                    • Disassembly available
                                                                    callgraph 0 Function_000001B258560AA8 1 Function_000001B258560000 1->0

                                                                    Executed Functions

                                                                    Function 000001B258560000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 1b258560000-1b258560460 call 1b258560aa8 * 2 VirtualAlloc 22 1b258560462-1b258560466 0->22 23 1b25856048a-1b258560494 0->23 24 1b258560468-1b258560488 22->24 26 1b258560a91-1b258560aa6 23->26 27 1b25856049a-1b25856049e 23->27 24->23 24->24 27->26 28 1b2585604a4-1b2585604a8 27->28 28->26 29 1b2585604ae-1b2585604b2 28->29 29->26 30 1b2585604b8-1b2585604bf 29->30 30->26 31 1b2585604c5-1b2585604d2 30->31 31->26 32 1b2585604d8-1b2585604e1 31->32 32->26 33 1b2585604e7-1b2585604f4 32->33 33->26 34 1b2585604fa-1b258560507 33->34 35 1b258560509-1b258560511 34->35 36 1b258560531-1b258560567 GetNativeSystemInfo 34->36 37 1b258560513-1b258560518 35->37 36->26 38 1b25856056d-1b258560589 VirtualAlloc 36->38 39 1b258560521 37->39 40 1b25856051a-1b25856051f 37->40 41 1b2585605a0-1b2585605ac 38->41 42 1b25856058b-1b25856059e 38->42 43 1b258560523-1b25856052f 39->43 40->43 44 1b2585605af-1b2585605b2 41->44 42->41 43->36 43->37 45 1b2585605b4-1b2585605bf 44->45 46 1b2585605c1-1b2585605db 44->46 45->44 48 1b2585605dd-1b2585605e2 46->48 49 1b25856061b-1b258560622 46->49 50 1b2585605e4-1b2585605ea 48->50 51 1b258560628-1b25856062f 49->51 52 1b2585606db-1b2585606e2 49->52 53 1b2585605ec-1b258560609 50->53 54 1b25856060b-1b258560619 50->54 51->52 55 1b258560635-1b258560642 51->55 56 1b2585606e8-1b2585606f9 52->56 57 1b258560864-1b25856086b 52->57 53->53 53->54 54->49 54->50 55->52 60 1b258560648-1b25856064f 55->60 61 1b258560702-1b258560705 56->61 58 1b258560917-1b258560929 57->58 59 1b258560871-1b25856087f 57->59 62 1b258560a07-1b258560a1a 58->62 63 1b25856092f-1b258560937 58->63 64 1b25856090e-1b258560911 59->64 65 1b258560654-1b258560658 60->65 66 1b258560707-1b25856070a 61->66 67 1b2585606fb-1b2585606ff 61->67 80 1b258560a40-1b258560a4a 62->80 81 1b258560a1c-1b258560a27 62->81 69 1b25856093b-1b25856093f 63->69 64->58 68 1b258560884-1b2585608a9 64->68 70 1b2585606c0-1b2585606ca 65->70 71 1b258560788-1b25856078e 66->71 72 1b25856070c-1b25856071d 66->72 67->61 97 1b258560907-1b25856090c 68->97 98 1b2585608ab-1b2585608b1 68->98 76 1b258560945-1b25856095a 69->76 77 1b2585609ec-1b2585609fa 69->77 74 1b2585606cc-1b2585606d2 70->74 75 1b25856065a-1b258560669 70->75 73 1b258560794-1b2585607a2 71->73 72->73 78 1b25856071f-1b258560720 72->78 82 1b2585607a8 73->82 83 1b25856085d-1b25856085e 73->83 74->65 84 1b2585606d4-1b2585606d5 74->84 88 1b25856067a-1b25856067e 75->88 89 1b25856066b-1b258560678 75->89 86 1b25856095c-1b25856095e 76->86 87 1b25856097b-1b25856097d 76->87 77->69 90 1b258560a00-1b258560a01 77->90 91 1b258560722-1b258560784 78->91 95 1b258560a4c-1b258560a54 80->95 96 1b258560a7b-1b258560a8e 80->96 93 1b258560a38-1b258560a3e 81->93 94 1b2585607ae-1b2585607d4 82->94 83->57 84->52 99 1b258560960-1b25856096c 86->99 100 1b25856096e-1b258560979 86->100 102 1b2585609a2-1b2585609a4 87->102 103 1b25856097f-1b258560981 87->103 104 1b258560680-1b25856068a 88->104 105 1b25856068c-1b258560690 88->105 101 1b2585606bd-1b2585606be 89->101 90->62 91->91 92 1b258560786 91->92 92->73 93->80 112 1b258560a29-1b258560a35 93->112 131 1b2585607d6-1b2585607d9 94->131 132 1b258560835-1b258560839 94->132 95->96 113 1b258560a56-1b258560a79 RtlAddFunctionTable 95->113 96->26 97->64 110 1b2585608b3-1b2585608b9 98->110 111 1b2585608bb-1b2585608c8 98->111 114 1b2585609be-1b2585609bf 99->114 100->114 101->70 108 1b2585609a6-1b2585609aa 102->108 109 1b2585609ac-1b2585609bb 102->109 115 1b258560989-1b25856098b 103->115 116 1b258560983-1b258560987 103->116 117 1b2585606b6-1b2585606ba 104->117 106 1b2585606a5-1b2585606a9 105->106 107 1b258560692-1b2585606a3 105->107 106->101 119 1b2585606ab-1b2585606b3 106->119 107->117 108->114 109->114 121 1b2585608ea-1b2585608fe 110->121 122 1b2585608d3-1b2585608e5 111->122 123 1b2585608ca-1b2585608d1 111->123 112->93 113->96 120 1b2585609c5-1b2585609cb 114->120 115->102 118 1b25856098d-1b25856098f 115->118 116->114 117->101 126 1b258560999-1b2585609a0 118->126 127 1b258560991-1b258560997 118->127 119->117 128 1b2585609d9-1b2585609e9 VirtualProtect 120->128 129 1b2585609cd-1b2585609d3 120->129 121->97 139 1b258560900-1b258560905 121->139 122->121 123->122 123->123 126->120 127->114 128->77 129->128 136 1b2585607e3-1b2585607f0 131->136 137 1b2585607db-1b2585607e1 131->137 133 1b258560844-1b258560850 132->133 134 1b25856083b 132->134 133->94 138 1b258560856-1b258560857 133->138 134->133 141 1b2585607f2-1b2585607f9 136->141 142 1b2585607fb-1b25856080d 136->142 140 1b258560812-1b25856082c 137->140 138->83 139->98 140->132 144 1b25856082e-1b258560833 140->144 141->141 141->142 142->140 144->131
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.422553564.000001B258560000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B258560000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_1b258560000_rundll32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: 4f433e4041758fd1e6e44121b53c4b6d671af79f31564d0a7082ee5db3fe7028
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 5E723730628B488BDB69DF19C8857F9B7E1FB94304F11422DE88BD7241EBB4D946CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:18.3%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:4.8%
                                                                    Total number of Nodes:83
                                                                    Total number of Limit Nodes:8
                                                                    execution_graph 3902 18001aca4 3907 18001ad22 3902->3907 3903 18001ba75 3907->3903 3908 180012b50 3907->3908 3911 18000a4fc 3907->3911 3914 18001cec4 3907->3914 3910 180012b8a 3908->3910 3909 180012bfb InternetOpenW 3909->3907 3910->3909 3913 18000a572 3911->3913 3912 18000a5f0 HttpOpenRequestW 3912->3907 3913->3912 3916 18001cf4a 3914->3916 3915 18001cfe2 InternetConnectW 3915->3907 3916->3915 3917 180015388 3920 1800227d4 3917->3920 3919 1800153e3 3924 18002281d 3920->3924 3922 180024315 3922->3919 3924->3922 3926 18001c05c 3924->3926 3930 18001c568 3924->3930 3937 180017908 3924->3937 3928 18001c0af 3926->3928 3929 18001c2e1 3928->3929 3941 18002ad58 3928->3941 3929->3924 3933 18001c58a 3930->3933 3932 18001c948 3932->3924 3933->3932 3948 180003598 3933->3948 3952 18000ac48 3933->3952 3956 180025dac 3933->3956 3960 1800097c0 3933->3960 3939 180017932 3937->3939 3938 180015e2c CreateThread 3938->3939 3939->3938 3940 180017bcd 3939->3940 3940->3924 3944 1800046a8 3941->3944 3943 18002ae38 3943->3928 3946 1800046ec 3944->3946 3945 180004982 3945->3943 3946->3945 3947 180004945 Process32FirstW 3946->3947 3947->3946 3950 180003640 3948->3950 3949 1800044c0 3949->3933 3950->3949 3964 18001ed50 3950->3964 3954 18000ac8e 3952->3954 3953 18000b5fe 3953->3933 3954->3953 3955 18001ed50 CreateFileW 3954->3955 3955->3954 3959 180025dde 3956->3959 3958 180026180 3958->3933 3959->3958 3971 180015e2c 3959->3971 3961 1800097fc 3960->3961 3962 18000981d 3961->3962 3963 18001ed50 CreateFileW 3961->3963 3962->3933 3963->3961 3966 18001ed7a 3964->3966 3967 18001f06b 3966->3967 3968 18000fb00 3966->3968 3967->3950 3970 18000fb80 3968->3970 3969 18000fc15 CreateFileW 3969->3966 3970->3969 3973 180015ea5 3971->3973 3972 180015f3b CreateThread 3972->3959 3973->3972 3974 b90000 3975 b90183 3974->3975 3976 b9043e VirtualAlloc 3975->3976 3980 b90462 3976->3980 3977 b90a7b 3978 b90531 GetNativeSystemInfo 3978->3977 3979 b9056d VirtualAlloc 3978->3979 3984 b9058b 3979->3984 3980->3977 3980->3978 3981 b90a00 3981->3977 3982 b90a56 RtlAddFunctionTable 3981->3982 3982->3977 3983 b909d9 VirtualProtect 3983->3984 3984->3981 3984->3983 3984->3984 3985 180015e2c 3987 180015ea5 3985->3987 3986 180015f3b CreateThread 3987->3986 3998 18001496c 4001 1800149ce 3998->4001 3999 1800152ba 4000 18000fb00 CreateFileW 4000->4001 4001->3999 4001->4000 3988 180024d80 3990 180024eed 3988->3990 3989 1800250bd 3990->3989 3992 180019a30 3990->3992 3993 180019aa4 3992->3993 3994 180019b2a GetVolumeInformationW 3993->3994 3994->3989 3995 18000fb00 3997 18000fb80 3995->3997 3996 18000fc15 CreateFileW 3997->3996

                                                                    Executed Functions

                                                                    Function 00B90000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 b90000-b90460 call b90aa8 * 2 VirtualAlloc 22 b9048a-b90494 0->22 23 b90462-b90466 0->23 26 b9049a-b9049e 22->26 27 b90a91-b90aa6 22->27 24 b90468-b90488 23->24 24->22 24->24 26->27 28 b904a4-b904a8 26->28 28->27 29 b904ae-b904b2 28->29 29->27 30 b904b8-b904bf 29->30 30->27 31 b904c5-b904d2 30->31 31->27 32 b904d8-b904e1 31->32 32->27 33 b904e7-b904f4 32->33 33->27 34 b904fa-b90507 33->34 35 b90509-b90511 34->35 36 b90531-b90567 GetNativeSystemInfo 34->36 37 b90513-b90518 35->37 36->27 38 b9056d-b90589 VirtualAlloc 36->38 39 b9051a-b9051f 37->39 40 b90521 37->40 41 b9058b-b9059e 38->41 42 b905a0-b905ac 38->42 43 b90523-b9052f 39->43 40->43 41->42 44 b905af-b905b2 42->44 43->36 43->37 46 b905c1-b905db 44->46 47 b905b4-b905bf 44->47 48 b9061b-b90622 46->48 49 b905dd-b905e2 46->49 47->44 51 b90628-b9062f 48->51 52 b906db-b906e2 48->52 50 b905e4-b905ea 49->50 53 b9060b-b90619 50->53 54 b905ec-b90609 50->54 51->52 55 b90635-b90642 51->55 56 b906e8-b906f9 52->56 57 b90864-b9086b 52->57 53->48 53->50 54->53 54->54 55->52 60 b90648-b9064f 55->60 61 b90702-b90705 56->61 58 b90871-b9087f 57->58 59 b90917-b90929 57->59 64 b9090e-b90911 58->64 62 b9092f-b90937 59->62 63 b90a07-b90a1a 59->63 65 b90654-b90658 60->65 66 b906fb-b906ff 61->66 67 b90707-b9070a 61->67 69 b9093b-b9093f 62->69 90 b90a1c-b90a27 63->90 91 b90a40-b90a4a 63->91 64->59 68 b90884-b908a9 64->68 70 b906c0-b906ca 65->70 66->61 71 b90788-b9078e 67->71 72 b9070c-b9071d 67->72 95 b908ab-b908b1 68->95 96 b90907-b9090c 68->96 75 b909ec-b909fa 69->75 76 b90945-b9095a 69->76 73 b9065a-b90669 70->73 74 b906cc-b906d2 70->74 78 b90794-b907a2 71->78 77 b9071f-b90720 72->77 72->78 86 b9066b-b90678 73->86 87 b9067a-b9067e 73->87 74->65 82 b906d4-b906d5 74->82 75->69 88 b90a00-b90a01 75->88 84 b9097b-b9097d 76->84 85 b9095c-b9095e 76->85 89 b90722-b90784 77->89 80 b907a8 78->80 81 b9085d-b9085e 78->81 92 b907ae-b907d4 80->92 81->57 82->52 100 b9097f-b90981 84->100 101 b909a2-b909a4 84->101 97 b9096e-b90979 85->97 98 b90960-b9096c 85->98 99 b906bd-b906be 86->99 102 b9068c-b90690 87->102 103 b90680-b9068a 87->103 88->63 89->89 104 b90786 89->104 105 b90a38-b90a3e 90->105 93 b90a7b-b90a8e 91->93 94 b90a4c-b90a54 91->94 129 b90835-b90839 92->129 130 b907d6-b907d9 92->130 93->27 94->93 111 b90a56-b90a79 RtlAddFunctionTable 94->111 108 b908bb-b908c8 95->108 109 b908b3-b908b9 95->109 96->64 112 b909be-b909bf 97->112 98->112 99->70 113 b90989-b9098b 100->113 114 b90983-b90987 100->114 106 b909ac-b909bb 101->106 107 b909a6-b909aa 101->107 116 b90692-b906a3 102->116 117 b906a5-b906a9 102->117 115 b906b6-b906ba 103->115 104->78 105->91 110 b90a29-b90a35 105->110 106->112 107->112 120 b908ca-b908d1 108->120 121 b908d3-b908e5 108->121 119 b908ea-b908fe 109->119 110->105 111->93 118 b909c5-b909cb 112->118 113->101 124 b9098d-b9098f 113->124 114->112 115->99 116->115 117->99 125 b906ab-b906b3 117->125 126 b909d9-b909e9 VirtualProtect 118->126 127 b909cd-b909d3 118->127 119->96 139 b90900-b90905 119->139 120->120 120->121 121->119 131 b90999-b909a0 124->131 132 b90991-b90997 124->132 125->115 126->75 127->126 136 b9083b 129->136 137 b90844-b90850 129->137 134 b907db-b907e1 130->134 135 b907e3-b907f0 130->135 131->118 132->112 140 b90812-b9082c 134->140 141 b907fb-b9080d 135->141 142 b907f2-b907f9 135->142 136->137 137->92 138 b90856-b90857 137->138 138->81 139->95 140->129 144 b9082e-b90833 140->144 141->140 142->141 142->142 144->130
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.896816701.0000000000B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_b90000_regsvr32.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                    • String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
                                                                    • API String ID: 394283112-2517549848
                                                                    • Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction ID: cd3881381028f12d213600dbc35e7bc89a1c169f9c4437501163ae7738e53371
                                                                    • Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
                                                                    • Instruction Fuzzy Hash: 8B72C531628B488FDB29EF18C8856B9B7E1FF98305F10466DE88BD7211DB34D946CB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #X$Ec;$J$^c$^c$n
                                                                    • API String ID: 0-2929744921
                                                                    • Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                    • Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
                                                                    • Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
                                                                    • Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 634 1800132f0-18001332a 635 18001332c-180013331 634->635 636 1800136a3 635->636 637 180013337-18001333c 635->637 638 1800136a8-1800136ad 636->638 639 180013342-180013347 637->639 640 1800135f0-18001368c call 180021434 637->640 638->635 641 1800136b3-1800136b6 638->641 639->638 643 18001334d-1800133c6 call 18001a754 639->643 647 180013691-180013697 640->647 645 180013759-180013760 641->645 646 1800136bc-180013757 call 180013e28 641->646 649 1800133cb-1800133d0 643->649 651 180013763-18001377d 645->651 646->651 647->641 648 180013699-18001369e 647->648 652 1800135e2-1800135eb 648->652 649->646 653 1800133d6-1800133db 649->653 652->635 653->641 655 1800133e1-1800133e6 653->655 655->652 656 1800133ec-1800134a8 call 180021434 655->656 656->641 659 1800134ae-1800135dc call 180016428 call 180013e28 656->659 659->641 659->652
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: =_$F)k$b/$syG
                                                                    • API String ID: 0-3955183656
                                                                    • Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                    • Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
                                                                    • Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
                                                                    • Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 5IF$P)#
                                                                    • API String ID: 0-1025399686
                                                                    • Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                    • Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
                                                                    • Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
                                                                    • Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89networkCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 584 18001cec4-18001cf6a call 1800142a0 587 18001cfe2-18001d01f InternetConnectW 584->587 588 18001cf6c-18001cfdc call 18000dd70 584->588 588->587
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: :G?$C
                                                                    • API String ID: 3050416762-1225920220
                                                                    • Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                    • Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
                                                                    • Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
                                                                    • Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: gF\
                                                                    • API String ID: 823142352-1982329323
                                                                    • Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                    • Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
                                                                    • Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
                                                                    • Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpOpenRequest
                                                                    • String ID: :G?
                                                                    • API String ID: 1984915467-1508054202
                                                                    • Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                    • Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
                                                                    • Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
                                                                    • Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: :G?
                                                                    • API String ID: 2038078732-1508054202
                                                                    • Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                    • Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
                                                                    • Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
                                                                    • Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                    • Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
                                                                    • Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
                                                                    • Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.897009415.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InformationVolume
                                                                    • String ID:
                                                                    • API String ID: 2039140958-0
                                                                    • Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                    • Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
                                                                    • Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
                                                                    • Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%